ࡱ > ` f bjbjss . eU z *
*
*
>
W W W W rY >
Ҭ jZ d ] ] ] ] _
a b P Q S S S S S S $ r h ڰ h w *
b _ @ _ b b w ] ] m m m b R ] *
] Q m b Q m m 7 4
" *
ߦ ] ^Z W h , k > L 0 Ҭ 6 B j 8 B | ߦ ߦ 6 B *
b b m b b b b b w w m b b b Ҭ b b b b >
>
>
) B3 D$ >
>
>
B3 >
>
Backdooring Windows Media Files
-Whitepaper-
Rosario Valotta
INDEX
TOC \o "1-3" \h \z \u HYPERLINK \l "_Toc232518192" Backdooring Windows Media Files PAGEREF _Toc232518192 \h 1
HYPERLINK \l "_Toc232518193" Overview PAGEREF _Toc232518193 \h 3
HYPERLINK \l "_Toc232518194" Basics PAGEREF _Toc232518194 \h 3
HYPERLINK \l "_Toc232518195" Embedding script commands in a Windows Media file PAGEREF _Toc232518195 \h 4
HYPERLINK \l "_Toc232518196" Embedding Windows Media Player in a web page PAGEREF _Toc232518196 \h 4
HYPERLINK \l "_Toc232518197" Exploiting Script Commands PAGEREF _Toc232518197 \h 4
HYPERLINK \l "_Toc232518198" Exploit #1 - URL Scripting PAGEREF _Toc232518198 \h 5
HYPERLINK \l "_Toc232518199" Exploit #2 - TEXT Scripting PAGEREF _Toc232518199 \h 5
HYPERLINK \l "_Toc232518200" Exploit #3 - FILENAME Scripting PAGEREF _Toc232518200 \h 5
HYPERLINK \l "_Toc232518201" Exploit #4 Intranet scanning PAGEREF _Toc232518201 \h 8
HYPERLINK \l "_Toc232518202" Exploit #5 - More Intranet scanning PAGEREF _Toc232518202 \h 9
HYPERLINK \l "_Toc232518203" Exploit #6 - SAMI is my hero PAGEREF _Toc232518203 \h 12
HYPERLINK \l "_Toc232518204" Final notes PAGEREF _Toc232518204 \h 12
HYPERLINK \l "_Toc232518205" Acknoledgements PAGEREF _Toc232518205 \h 13
HYPERLINK \l "_Toc232518206" Bibliography PAGEREF _Toc232518206 \h 13
Overview
In this paper we will analyze some less known features of Windows Media Player and Windows Media File format and see how an attacker could exploit some of these features in order to perform information gathering and attack scenarios in an Intranet environment.
Basics
The Windows Media Format supports the use of script commands to communicate application actions in ASF or other Windows Media files.
For details about WMF see [1]
A script command is basicly made up of two strings, the first string is the type of command, the second one is the command data. When a reading application (e.g. Windows Media Player) that supports script commands of type "URL" receives this command, it will open the specified address in a browser window.
Windows Media Format allows to embed script commands among the sounds and images of a Windows Media file or stream, specifying the time position in the stream when the script command should be triggered. When the stream reaches the time associated with the command, the Windows Media Player control sends a ScriptCommand event with the defined parameters.
The following table lists script types that are supported by Windows Media Player.
Script typeDescriptionURLThe player sends the specified URL to the browser for display to the user. If an embedded player control is being used, it is possible to add a specific frame reference to the URL by using the &&framenamesyntax.FILENAMEA URL to another media file to be played.CAPTIONA text string that is displayed in the captions area of Windows Media Player. This type supports standard HTML formatting, so the text can be formatted as preferred. An example of use is closed captioning.EVENTThe name of an event that is to occur. The code for the specified event must be defined in theWindows Media metafilefor the stream in order for the player to perform the specified event. An example of use is ad insertion.OPENEVENTThis script precedes the actual EVENT. The OPENEVENT allows the player to pre-buffer the content so that when the EVENT occurs, the switch between streams appears to be seamless.TEXTA TEXT string that is displayed in the captions area of Windows Media Player. Can be plain text, SAMI, or HTML formatted text.
In this advisory, URL, TEXT and FILENAME script commands are analyzed and the related vulnerabilities are disclosed.
Embedding script commands in a Windows Media file
In order to embed script commands in a WM file, a tool called Windows Media Editor is needed: the tool comes boundled with WM Encoder suite downloadable free from Microsoft website.
WM Editor is a simple tool that enables users to edit media files by adding metadata, indexes, markers and script commands.
A brief introduction to this tool can be found at [2].
Embedding Windows Media Player in a web page
A Windows Media Player control can be easily embedded in an HTML file; for a complete reference about this topic, see [3].
The OBJECT tag is used to define the ActiveX control within the page:
The following OBJECT tag attributes are required:
ID -The name that will be used by other parts of the code to identify and use the ActiveX control.
CLASSID - A hexadecimal number that is unique to the control.
Exploiting Script Commands
Script commands are an easy and effective way to control the behaviour of the WMP and of the embedding web page, without actually tampering the web page itself.
Many so called Web 2.0 websites allow users to upload a self authored media files or let them provide a link to a media URL that is later retrieved by the website and made available for viewing. Wherever WMF format is allowed by the website, an attacker could upload or link a specially crafted media containing one or more Script commands. As long as no media format conversion is performed on the uploaded file, there is no way for the website to purge the script commands.
Its important to notice that the execution of script commands in a media stream embedded in a web page is, by default, allowed (see [4]).
In the following pages well discuss four attack scenarios that can be easily adopted by an attacker in order to do:
Phishing
Information gathering
Intranet scanning
by simply exploiting Script Commands behaviour.
Exploit #1 - URL Scripting
When authoring a Windows Media file, it is possible to define an URL script command; when the command is encountered during the playing of the stream, the player launches the URL in the default browser. One can specify which frame the new URL is displayed in by concatenating two ampersands and the name of the frame in the parameter field. The example below specifies that the URL mypage must be launched in the myframe frame.
SCRIPT COMMAND TYPE= "URL"
Param = HYPERLINK "http://myweb/mypage.html&&myframe" http://myweb/mypage.html&&myframe
This behaviour is by design, but it can drive to a lot of nasty scenarios:
CSRF: as multiple URL commands can be embedded in a WM stream, an attacker can drive a victim browser to initiate multiple GET request towards a 3rd party website.
Frame hijacking: by triggering the browser to launch a URL in a specified iframe (es. HYPERLINK "http://myweb/mypage.html&&myframe" http://myweb/mypage.html&&myframe) an attacker can modify the location of an iframe in the current page in order to download malicious content (e.g. Javascript) or hijacking an advertising banner
Please consider that an attacker doesnt need to rely on a website he controls in order to social engineering the victim; it is enough to upload a scripted WM file to a video sharing community that support WMV streaming.
PoC available at HYPERLINK "http://valotta.rosario.googlepages.com/embedWmpURL.htm" http://valotta.rosario.googlepages.com/embedWmpURL.htm
Exploit #2 - TEXT Scripting
Text scripting allows to embed HTML or text code into a WM stream; when the player reaches the command, the code is displayed in the caption area associated to the player object.
A caption area is defined using Captioning.ID property in the PARAM tags:
A valid captioning area is a HTML tag which has got an innerHTML property (e.g. DIV, IFRAME, etc)
The weird here is that not only HTML but also Javascript code can be used in the script command and executed in the captioning area.
Example:
SCRIPT COMMAND TYPE= "TEXT"
VALUE=
Exploiting this bug is not trivial as a valid CaptioningID param (inside OBJECT tag) is needed.
PoC available at HYPERLINK "http://valotta.rosario.googlepages.com/embedWmpAny.htm" http://valotta.rosario.googlepages.com/embedWmpAny.htm
Exploit #3 - FILENAME Scripting
Windows Media Player can open a local content from the Internet.
This breaks the security zone policy, as a resource from Internet zone accesses a Local content.
This bug can be verified by creating a simple ASX file that points to some local content:
and moving the ASX file to some web server.
Loading the ASX file with IE or WMP will result in local file being played normally, without any warning.
This behaviour is present as well when using FILENAME script commands in a WMF.
When WMP encounter a FILENAME script in a media file, attempts to open the specified file, and begins playing the new stream immediately. What is wrong with FILENAME scripting is that the URI of the file to open points to a local machine resource:
FILENAME=file://c:/test.wma
When WMP encounters such a tag embedded in the media track, it stops playing the current media and begins to search on the local machine for the specified resource.
This bug can be exploited for two attack scenarios:
local file enumeration
intranet scanning (later explained)
Using some basic Javascript functions available in WMP SDK is possible for an attacker to create a webpage with an embedded WMP control that allows the attacker to detect if a predefined media file is available on the victim machine.
All media files playable by WMP (gif/jpeg/mp3/wma/wmv,etc) can be detected using this approach.
Using the OpenStateChange event its possible to track whenever the WMP changes state (including when a new file is being opened). So its pretty simple to determine if a particular content is available on the local machine by counting the number of times that a media open state is fired.
This exploit works on Windows XP with IE 6/7 and can be modified in order to works with Firefox 2/3 (with WMP plugin)
Exploit #4 Intranet scanning
By leveraging the same bug (local zone access) an attacker can use WMP to open files on remote shares on a victim local network. Using the FILENAME scripting command into the WM file set to:
file://\\\c$\
it is possible to trigger WMP for looking for a specific host of the local network.
By creating a specially crafted webpage, is possible for an attacker to scan an arbitrary number of hosts into the victims local network and, by parsing the event codes and errors fired by the WMP, detect if those hosts are reachable or not from the victim computer.
How it works
When WMP encounters a FILENAME script commands set to:
file://\\\c$\a.mp3
where c$ is one of the administrative default share of any Windows workgroup and a.mp3 is a dummy non-existent media file, it tries to resolve the URI using the following approach:
Windows I/O manager passes the request to a system component that is named the Multiple UNC Provider (MUP)
MUP sits logically above all the network redirectors. When a network path is passed to MUP, it polls all the registered redirectors to determine whether they understand the path
The redirectors in turn contact the server to establish if the path is valid for the specific protocol. If the server can satisfy the connection, the redirector will return success back the MUP. If not, the redirector returns a failure
When a Universal Naming Conventions (UNC) file name is used, the redirector will use SMB, WebDAV, or a combination of the two, depending on what is available on the destination host.
Why it works
On the basis of the error fired it is possible to detemine the reachability of any host (from the victim machine):
Error CodeDescription-1072885353Host not reachable-1072885294Host reachable -1072885354Host reachable but access to the share deniedError -1072885353: stands for code C00D1197 (Cannot play the file): the cause is that the host is not reachable trough ICMP or SMB protocol (not announced on the LAN). Another possible cause is that the host is not a Windows host or does not have c$ default share (well see later that is as well possible to detect operative system of the remote hosts)
Error -1072885294: stands for code C00D11D2 (Cannot access the file): in this case the host is reachable but client host not have permission to access the share (remember that is an administrative share!) or other location where the file is stored
Error -1072885354: stands for code C00D1196 (Incorrect user name or password): in this case the host is reachable but an authentication to the host is required (maybe is somehow protected or maybe the client host is a guest on a Windows network domain)
So, using a bit of JS code it is possible to parse the error code and determine the status of the target host. As the process is based on the parsing of an error code and not on temporal guess, it is an exact detection.
By running this exploit on multiple victim hosts and gathering the informations, an attacker can draw a layer 3 map of the victims network.
A PoC is located at: HYPERLINK "http://valotta.rosario.googlepages.com/wmpScanner.htm" http://valotta.rosario.googlepages.com/wmpScanner.htm
This sample webpage searches for subnet 10.56.128.0/24 in the client LAN. The IPs settings can be modified by creating different entries in the ASX metafile (/scan.asx).
Exploit #5 - More Intranet scanning
When a WM stream is originated by a Windows Media Server, is possible to define LogURL parameter in the ASX file and let the client error logs be transmitted to the origin server without using javascript (this feature is by design, see [6])
For example in the following ASX file:
First trackSecond track
two tracks are provided: the first is a streaming media served by a Windows Media Server, the second can be a common WMF server by a web server. A player rendering an .asx file that contains a LogURL tag will submit its client logs to the streaming server and to the URL specified in the LogURL tag.
When Windows Media Player submits a log entry, it first performs an HTTP GET to the URL that is specified in the LOGURL tag to guarantee that the URL is valid. After an acceptable header is returned, Windows Media Player reconnects to the HTTP server and uses an HTTP POST to send logs to the same URL. To make the URL valid for log posting it is enough to point to a HTML page containing:
WMS ISAPI Log Dll/9.00.00.3372
WMS ISAPI Log Dll/9.00.00.3372
This tricks the WMP into believing that the endpoint is a valid ISAPI application that can collect client logs.
WMP Client logs
Logs are submitted to the server when the client ends the playback of any content, for example, when the player transitions from any playing state (play, fast-forward, or rewind) to a nonplaying state (stop, pause, end of stream, and beginning of stream). All possible combinations of state transitions that trigger logs sending are available at HYPERLINK "http://www.microsoft.com/windows/windowsmedia/howto/articles/loggingmodel.aspx" http://www.microsoft.com/windows/windowsmedia/howto/articles/loggingmodel.aspx
Why collecting client logs?
For a complete definition of client side logs consult the above Microsoft resource. What is notable here is that, among the log parameters, are present:
ParameterDescriptionExamplec-playerlanguageLanguage and country/region code of the player.en-UScs(User-Agent)Browser type used if the player was embedded in a browser. If the player was not embedded, this field refers to the user agent of the client that generated the log.Mozilla/4.0_(compatible;_MSIE_4.01;_Windows_98)cs(Referer)URL to the Web page in which the player was embedded (if it was embedded). If this is unknown, this field is blank.http://www.example.microsoft.comc-hostexeFor player log entries, the host program (.exe) that was run. For example, a Web page in a browser, a Microsoft Visual Basic applet, or a stand-alone player. For distribution server log entries, the name of the distribution server's service program (.exe) that was run.iexplore.exevb.exemplayer2.exeWMServer.exec-hostexeverHost program (.exe) version number.4.70.1215c-osClient operating system.Windows_NTc-osversionVersion number of the client operating system.4.0.0.1381c-cpuClient CPU type.PentiumFrom this one can easily detect:
Victim OS brand, victim OS language, OS version, CPU mounted on his computer
All these informations can be of great help for fine tuning of the Intranet scanning (for example if the detected OS is Windows XP Professional one can state that default shares Music, Pictures are not available)
Exploit #6 - SAMI is my hero
SAMI files are text files that have an .smi or .sami file name extension. They contain the text strings used for synchronized closed captions, subtitles, and audio descriptions. They also specify the timing parameters used by the Windows Media Player control to synchronize closed caption text with audio or video content. When a digital media file reaches a time designated in the SAMI file, the text changes accordingly in the closed caption display area of the Web page.
For a complete guide on this topic, check [7].
SAMI files can be associated with digital media files by using a single URL. This is accomplished by using the sami URL parameter. The URL parameter is preceded by the base URL and a ? character. A URL with a sami parameter follows this syntax:
?sami=
The value of the captionURL parameter follows the parameter name and an equals sign, as in the following example:
http://valotta.rosario.googlepages.com/test.wma?sami=http://myserver.com/test.smi
The nasty thing here is that WMP seems to fail in SAMI URI sanitization and accepts, apart from HTTP and HTTPS, also mailto: and ftp: URI schemas.
Interesting here is the ftp schema; launching a SAMI URI like this:
HYPERLINK "http://valotta.rosario.googlepages.com/test.wma?sami=ftp://user:pwd@ftp.intranetdomain.com" http://valotta.rosario.googlepages.com/test.wma?sami=ftp://user:pwd@ftp.intranetdomain.com
from within a browser, nothing apparently happens, but by running a network analyzer it is possible to see that an FTP connection is actually performed!
The FTP issue can be particularly useful for an attacker if the victim uses Internet Explorer 6 (it is still the most used browser among corporate users, see [9] ); in this scenario the attacker can rely on an unpatched IE6 vulnerability (see [8]) that allows to create specially crafted URLs that chain multiple ftp commands:
HYPERLINK "http://valotta.rosario.googlepages.com/test.wma?sami=ftp://user:pwd@ftp.intranetdomain.com" http://valotta.rosario.googlepages.com/test.wma?sami=ftp://user:pwd@ftp.intranetdomain.com/%0D%0ADELE%20anyfile.txt%0D%0ACWD//
Such a link could seamlessly force the victim to connect to a local corporate ftp server and delete arbitrary files.
Final notes
The material contained in this paper is for educational purpose only: the author is not responsible for the misuse of the informations provided.
All the vulnerabilities described in this paper have been notified to Microsoft Security Response Center twice:
February 2008 (exploits #1,2,3)
March 2009 (exploits #4,5,6)
Microsoft acknowledged the vulnerabilities but stated that no schedule is available for releasing a patch.
Acknoledgements
Id like to thank Stefano Di Paola and Roberto Suggi Liverani for their valuable advices and suggestions.
Bibliography
MSDN, Microsoft, HYPERLINK "http://msdn.microsoft.com/en-us/library/aa391228(VS.85).aspx" http://msdn.microsoft.com/en-us/library/aa391228(VS.85).aspx
Plattsburgh University of New York, HYPERLINK "http://www.plattsburgh.edu/technology/it/help/streamingmedia/mediafileeditor.php" http://www.plattsburgh.edu/technology/it/help/streamingmedia/mediafileeditor.php
Windows Media, Microsoft, HYPERLINK "http://www.microsoft.com/windows/windowsmedia/howto/articles/adsolutions2.aspx" http://www.microsoft.com/windows/windowsmedia/howto/articles/adsolutions2.aspx
Windows Media, Microsoft, HYPERLINK "http://www.microsoft.com/windows/windowsmedia/player/11/security.aspx" http://www.microsoft.com/windows/windowsmedia/player/11/security.aspx
Jeremiah Grossman, HYPERLINK "https://www.blackhat.com/presentations/bh-usa-07/Grossman/Whitepaper/bh-usa-07-grossman-WP.pdf" Hacking Intranet Websites from the Outside (Take 2), https://www.blackhat.com/presentations/bh-usa-07/Grossman/Whitepaper/bh-usa-07-grossman-WP.pdf
Windows Media, Microsoft, HYPERLINK "http://www.microsoft.com/windows/windowsmedia/howto/articles/loggingmodel.aspx" http://www.microsoft.com/windows/windowsmedia/howto/articles/loggingmodel.aspx
MSDN, Microsoft, HYPERLINK "http://msdn.microsoft.com/en-us/library/ms971327.aspx" http://msdn.microsoft.com/en-us/library/ms971327.aspx
Rapid7, HYPERLINK "http://www.rapid7.com/advisories/R7-0032.jsp" http://www.rapid7.com/advisories/R7-0032.jsp
CNET, HYPERLINK "http://news.cnet.com/8301-17939_109-10231713-2.html" http://news.cnet.com/8301-17939_109-10231713-2.html
Use case scenario
Some guys from a major record company want to check if any users registered to a peer to peer web community have downloaded some copyrighted media files.
They upload on the web community forum a page containing some scripted FILENAME commands (or a WMP object linking a ASX file with a very long list of file entries).
A PoC is available at the url: HYPERLINK "http://valotta.rosario.googlepages.com/embedWmpAny3.htm" http://valotta.rosario.googlepages.com/embedWmpAny3.htm
The PoC searches on the client local machine for a file c:/test.mp3, but it can easily be modified in order to search a long list of files with a given name in one or more folders that are likely to be used by a peer to peer application:
E.g.
C:\Program Files\eMule\Incoming\01-Song1.mp3
D:\Program Files\eMule\Incoming\01-Song1.mp3
C:\Programmi\eMule\Incoming\Song1.mp3
C:\Programmi\eMule\Incoming\Song-1.mp3
and so on.
By knowing the exact victim OS version and language (see exploit #5), is possible to refine the search to a subset of folders.
The major record company guy can retrieve all the metadata informations about the media hes looking for, by using standard JS API provided in the WMP SDK.
Among the informations retrieved, there are:
Unique file id
Provider name (record company)
Publishing company
If these metadata match with the desired ones, as long as they were not modified by the user, is likely that the record company guy has found an user that has downloaded (legally or not, is out of scope) the target media file.
Use case scenario
An attacker is trying to gather informations about a corporate intranet in order to spread some kind of malware and infect some target hosts. He publishes, over a controlled web server, a page with an embedded WM file and, by social engineering, tricks some workers of the target company to visit this page (e.g. send the link to the page within an email).
Using exploits #4 and #5 for each victim that visits that page the attacker can retrieve:
Natted IP (see [6] for details)
A list of IPs that the victim is able to reach through Windows default shares
A list of IPs that are not reachable from the victim host
The OS used and its patching level
From the collected informations, the attacker can drag a minimum propagation path for his malware attack, by leveraging on routing information and trying to exploit possibly unpatched OS vulnerabilities.
$ % 2 5 E F K L M N e f g ȺhSh6 8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u (h~{n h7@> CJ OJ QJ ^J aJ mH sH 1j h~{n h7@> CJ OJ QJ U^J aJ mH sH h7@> OJ QJ ^J mH sH h7@> h7@> OJ QJ ^J mH sH h7@> mH sH #h~{n h~{n 5OJ QJ ^J mH sH h~{n OJ QJ ^J mH sH h7
q h~{n CJ$ OJ QJ ^J aJ$ ht CJ, aJ, mH sH h; ht CJ, aJ, mH sH h7@> CJ, aJ, mH sH % 2 3 4 5 E L M \ ?
W
%
%
$a$gd7@> gd~{n gd7
q gd2 e] f g h 筐v^B^$B^B :j} hR~ hR~ CJ OJ QJ U^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u.hR~ hR~ CJ OJ QJ ^J aJ mH nH u 3hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH sH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u Fj hR~ hR~ >*B*CJ OJ QJ U^J aJ mH nH ph u +hR~ hR~ CJ OJ QJ ^J aJ mH nH u/hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH u
1 2 ͵y]y?]y]͵ :jw hR~ hR~ CJ OJ QJ U^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u.hR~ hR~ CJ OJ QJ ^J aJ mH nH u Fj hR~ hR~ >*B*CJ OJ QJ U^J aJ mH nH ph u /hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH u+hR~ hR~ CJ OJ QJ ^J aJ mH nH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u2 3 4 : ; < V W X Y Z [ \ ] ^ z { ܿsUss?? +hR~ hR~ CJ OJ QJ ^J aJ mH nH u:jq hR~ hR~ CJ OJ QJ U^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u.hR~ hR~ CJ OJ QJ ^J aJ mH nH u /hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u Fj hR~ hR~ >*B*CJ OJ QJ U^J aJ mH nH ph u{ | } ܿqSqq=%/hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH u+hR~ hR~ CJ OJ QJ ^J aJ mH nH u:jk hR~ hR~ CJ OJ QJ U^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u.hR~ hR~ CJ OJ QJ ^J aJ mH nH u 3hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH sH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u Fj hR~ hR~ >*B*CJ OJ QJ U^J aJ mH nH ph u
9
:
;
<
=
>
ѭv^B^$B^B :je hR~ hR~ CJ OJ QJ U^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u.hR~ hR~ CJ OJ QJ ^J aJ mH nH u 3hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH sH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u Fj hR~ hR~ >*B*CJ OJ QJ U^J aJ mH nH ph u /hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH u+hR~ hR~ CJ OJ QJ ^J aJ mH nH u
>
?
@
A
]
^
_
`
z
{
|
̴鴐v^B^$B :j_ hR~ hR~ CJ OJ QJ U^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u.hR~ hR~ CJ OJ QJ ^J aJ mH nH u 3hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH sH uFj hR~ hR~ >*B*CJ OJ QJ U^J aJ mH nH ph u /hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u +hR~ hR~ CJ OJ QJ ^J aJ mH nH u
̯]C 3hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH sH uFj hR~ hR~ >*B*CJ OJ QJ U^J aJ mH nH ph u /hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH u+hR~ hR~ CJ OJ QJ ^J aJ mH nH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u.hR~ hR~ CJ OJ QJ ^J aJ mH nH u
, 5 ƮƑ{c{c?%c3hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH sH uFj hR~ hR~ >*B*CJ OJ QJ U^J aJ mH nH ph u /hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH u+hR~ hR~ CJ OJ QJ ^J aJ mH nH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u .hR~ hR~ CJ OJ QJ ^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u:jY hR~ hR~ CJ OJ QJ U^J aJ mH nH u5 6 7 Q R S T U V W X Y u v w x ̑{c{c? Fj hR~ hR~ >*B*CJ OJ QJ U^J aJ mH nH ph u /hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH u+hR~ hR~ CJ OJ QJ ^J aJ mH nH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u :jS hR~ hR~ CJ OJ QJ U^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u.hR~ hR~ CJ OJ QJ ^J aJ mH nH ux ͵{^H^H +hR~ hR~ CJ OJ QJ ^J aJ mH nH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u :jM hR~ hR~ CJ OJ QJ U^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u.hR~ hR~ CJ OJ QJ ^J aJ mH nH u /hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH u3hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH sH u ܿqSqq=%/hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH u+hR~ hR~ CJ OJ QJ ^J aJ mH nH u:jG hR~ hR~ CJ OJ QJ U^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u.hR~ hR~ CJ OJ QJ ^J aJ mH nH u 3hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH sH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u Fj hR~ hR~ >*B*CJ OJ QJ U^J aJ mH nH ph u 8 9 : ; M U ^ _ ` z { | } ѭvv^B^$B^ :jA
hR~ hR~ CJ OJ QJ U^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u.hR~ hR~ CJ OJ QJ ^J aJ mH nH u 3hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH sH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u Fj hR~ hR~ >*B*CJ OJ QJ U^J aJ mH nH ph u /hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH u+hR~ hR~ CJ OJ QJ ^J aJ mH nH u
} ~ ưƘtZBB .hR~ hR~ CJ OJ QJ ^J aJ mH nH u 3hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH sH uFj
hR~ hR~ >*B*CJ OJ QJ U^J aJ mH nH ph u /hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH u+hR~ hR~ CJ OJ QJ ^J aJ mH nH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u
ƮƑ{c{c?%3hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH sH uFj hR~ hR~ >*B*CJ OJ QJ U^J aJ mH nH ph u /hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH u+hR~ hR~ CJ OJ QJ ^J aJ mH nH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u .hR~ hR~ CJ OJ QJ ^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u:j; hR~ hR~ CJ OJ QJ U^J aJ mH nH u
(
)
*
,
-
.
/
0
1
M
N
O
P
˭zbzb> Fj hR~ hR~ >*B*CJ OJ QJ U^J aJ mH nH ph u /hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH u+hR~ hR~ CJ OJ QJ ^J aJ mH nH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u :j5 hR~ hR~ CJ OJ QJ U^J aJ mH nH u .hR~ hR~ CJ OJ QJ ^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u /
q ' z $If d [$ \$ gd d [$ \$ gdc. d [$ \$ gdN' d [$ \$ gdb gd7@> gdt
%
P
_
`
a
{
|
}
ͱ͓ͱv`vH`H /hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH u+hR~ hR~ CJ OJ QJ ^J aJ mH nH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u :j/
hR~ hR~ CJ OJ QJ U^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u.hR~ hR~ CJ OJ QJ ^J aJ mH nH u 3hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH sH u
ܿqSqq=$ 1j h~{n h7@> CJ OJ QJ U^J aJ mH sH +hR~ hR~ CJ OJ QJ ^J aJ mH nH u:j) hR~ hR~ CJ OJ QJ U^J aJ mH nH u 7j hR~ hR~ CJ OJ QJ U^J aJ mH nH u.hR~ hR~ CJ OJ QJ ^J aJ mH nH u 3hR~ hR~ 0J CJ OJ QJ ^J aJ mH nH sH u8j hR~ hR~ 0J CJ OJ QJ U^J aJ mH nH u Fj
hR~ hR~ >*B*CJ OJ QJ U^J aJ mH nH ph u
R i p ƭ}rY@Y 1hH hc. B*CJ OJ QJ ^J aJ mH ph sH 1hH hN' B*CJ OJ QJ ^J aJ mH ph sH h2 h2 mH sH -h/[y h; B*CJ OJ QJ aJ mH ph sH 1hH hC B*CJ OJ QJ ^J aJ mH ph sH 1hH hb B*CJ OJ QJ ^J aJ mH ph sH h4 h2 mH sH h7@> h2 h4 ht mH sH h7@> mH sH (h~{n h7@> CJ OJ QJ ^J aJ mH sH p + G & ' z 洛iiP7 1hH h B*CJ OJ QJ ^J aJ mH ph sH 1hH hl?! B*CJ OJ QJ ^J aJ mH ph sH 1hH h2 B*CJ OJ QJ ^J aJ mH ph sH 1hH h B*CJ OJ QJ ^J aJ mH ph sH 1hH hc. B*CJ OJ QJ ^J aJ mH ph sH 1hH hN' B*CJ OJ QJ ^J aJ mH ph sH 1hH h j B*CJ OJ QJ ^J aJ mH ph sH 1hH h^g B*CJ OJ QJ ^J aJ mH ph sH z Z c d m v D M O x ~ ; _ i ƴƜƴpƅZBp /hH h 0J >*CJ OJ QJ ^J aJ mH sH +hH h >*CJ OJ QJ ^J aJ mH sH (h~{n h CJ OJ QJ ^J aJ mH sH ,hH h 0J CJ OJ QJ ^J aJ mH sH .hH h 6CJ OJ QJ ]^J aJ mH sH "h~{n CJ OJ QJ ^J aJ mH sH (hH h CJ OJ QJ ^J aJ mH sH hH h CJ OJ QJ ^J aJ &hH h 5CJ OJ QJ \^J aJ l m v - f kdT $$If 0 D % 6 2 K 4 a p $If f kd $$If 0 D % 6 2 K 4 a p v w x - f kd $$If 0 D % 6 2 K 4 a p f kd $$If 0 D % 6 2 K 4 a p $If x ~ ^ _ i f kd^ $$If 0 D % 6 2 K 4 a p $If " - f kd $$If 0 D % 6 2 K 4 a p $If f kd $$If 0 D % 6 2 K 4 a p i " p 8 G L 롌wgTIAIA hC mH sH h hC mH sH $h h/[y CJ OJ QJ aJ mH sH h; CJ OJ QJ aJ mH sH (hH h; CJ OJ QJ ^J aJ mH sH (hH h CJ OJ QJ ^J aJ mH sH (hH h/[y CJ OJ QJ ^J aJ mH sH (hH hC CJ OJ QJ ^J aJ mH sH h/[y hc. CJ aJ mH sH hH h CJ OJ QJ ^J aJ (hH h CJ OJ QJ ^J aJ mH sH L ~ ^ / r r gdA gd7@> gdR| gdC gdC gd gd7@> gd7@> d [$ \$ gdc. * B ^ a l IJ֝֕zeeeeeXN hC 0J mH sH hC hC 0J mH sH (hH hC CJ OJ QJ ^J aJ mH sH ht mH sH hR~ mH sH h h mH sH h4 mH sH (hH h j CJ OJ QJ ^J aJ mH sH "h/[y CJ OJ QJ ^J aJ mH sH "hH CJ OJ QJ ^J aJ mH sH (hH h/[y CJ OJ QJ ^J aJ mH sH (hH hH CJ OJ QJ ^J aJ mH sH 1 3 V W p q r DzǠDzǘ{f{f{f{f{fQ (h>8 hL CJ OJ QJ ^J aJ mH sH (h>8 hA CJ OJ QJ ^J aJ mH sH (h>8 hR| CJ OJ QJ ^J aJ mH sH h7@> mH sH hR| mH sH "hH CJ OJ QJ ^J aJ mH sH (hH h CJ OJ QJ ^J aJ mH sH (hH hC CJ OJ QJ ^J aJ mH sH hC hC 0J mH sH hC h 0J mH sH h 0J mH sH r { ! ! ! c! " T# U# 2$ $ $ $ % gd2 gdW
&