思科企业级路由器漏洞 CVE-2023-20073 复现与分析<\/h1>

漏洞概述<\/h2>
Cisco RV340、RV340W、RV345 和 RV345P 四款型号的路由器最新固件中存在一个未授权任意文件上传漏洞。攻击者可以在未授权的情况下将文件上传到 `\/tmp\/upload<\/code> 目录中，然后利用 upload.cgi<\/code> 程序中存在的漏洞，最终实现存储型 XSS 攻击。<\/p>`

准备工作<\/h2>
固件获取与解压<\/h3>

固件下载地址：Cisco Systems 软件下载<\/a><\/li>
解压工具安装：
sudo apt-get install binwalk
<\/span><\/span><\/code><\/pre><\/li>
解压固件：
binwalk -Me <固件文件名>
<\/span><\/span><\/code><\/pre><\/li>
解压后进入文件系统：
cd _<固件文件名>.extracted\/squashfs-root\/rootfs
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
QEMU 环境搭建<\/h3>


下载必要的 QEMU 文件：<\/p>

访问 QEMU ARM 镜像索引<\/a><\/li>
下载以下三个文件：

debian_wheezy_armhf_standard.qcow2<\/code><\/li>
initrd.img-3.2.0-4-vexpress<\/code><\/li>
vmlinuz-3.2.0-4-vexpress<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>

创建启动脚本 qemu_start.sh<\/code>：<\/p>
#!\/bin\/bash
<\/span><\/span><\/span><\/span>qemu-system-arm -M vexpress-a9 -kernel vmlinuz-3.2.0-4-vexpress -initrd initrd.img-3.2.0-4-vexpress -drive if<\/span>=<\/span>sd,file=<\/span>debian_wheezy_armhf_standard.qcow2 -append "root=\/dev\/mmcblk0p2 console=ttyAMA0"<\/span> -net nic -net tap,ifname=<\/span>tap0,script=<\/span>no,downscript=<\/span>no -nographic
<\/span><\/span><\/code><\/pre><\/li>

网络配置：<\/p>
sudo brctl addbr br0
<\/span><\/span>sudo ifconfig br0 up
<\/span><\/span>sudo tunctl -t tap0
<\/span><\/span>sudo ifconfig tap0 up
<\/span><\/span>sudo brctl addif br0 tap0
<\/span><\/span><\/code><\/pre><\/li>

启动 QEMU：<\/p>
chmod +x qemu_start.sh
<\/span><\/span>.\/qemu_start.sh
<\/span><\/span><\/code><\/pre>登录凭据：用户名 root<\/code>，密码 root<\/code><\/p>
<\/li>
<\/ol>
漏洞分析<\/h2>
Nginx 配置分析<\/h3>


文件上传配置 (\/etc\/nginx\/conf.d\/rest.url.conf<\/code>)：<\/p>
location<\/span> \/api\/operations\/ciscosb-file:form-file-upload<\/span> {
<\/span><\/span>    if<\/span> (<\/span>$http_authorization = "")<\/span> {
<\/span><\/span>        return<\/span> 403<\/span>;
<\/span><\/span>    }
<\/span><\/span>    upload_pass<\/span> \/form-file-upload<\/span>;
<\/span><\/span>    upload_store<\/span> \/tmp\/upload<\/span>;
<\/span><\/span>    upload_store_access<\/span> user:rw<\/span> group:rw<\/span> all:rw<\/span>;
<\/span><\/span>    upload_set_form_field<\/span> $upload_field_name.name "<\/span>$upload_file_name";
<\/span><\/span>    upload_set_form_field<\/span> $upload_field_name.content_type "<\/span>$upload_content_type";
<\/span><\/span>    upload_set_form_field<\/span> $upload_field_name.path "<\/span>$upload_tmp_path";
<\/span><\/span>    upload_aggregate_form_field<\/span> "<\/span>$upload_field_name.md5" "<\/span>$upload_file_md5";
<\/span><\/span>    upload_aggregate_form_field<\/span> "<\/span>$upload_field_name.size" "<\/span>$upload_file_size";
<\/span><\/span>    upload_cleanup<\/span> 400<\/span> 404<\/span> 499<\/span> 500<\/span>-505<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

上传检查 (\/etc\/nginx\/conf.d\/web.upload.conf<\/code>)：<\/p>
location<\/span> \/upload<\/span> {
<\/span><\/span>    if<\/span> (!-f<\/span> "\/tmp\/websession\/token\/<\/span>$cookie_sessionid")<\/span> {
<\/span><\/span>        return<\/span> 403<\/span>;
<\/span><\/span>    }
<\/span><\/span>    # 正则匹配检查防止目录穿越
<\/span><\/span><\/span><\/span>    upload_pass<\/span> \/form-file-upload<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
uWSGI 配置<\/h3>
\/etc\/uwsgi\/upload.ini<\/code> 文件内容：<\/p>
[uwsgi]<\/span>
<\/span><\/span>plugins<\/span> =<\/span> cgi<\/span>
<\/span><\/span>socket<\/span> =<\/span> 127.0.0.1:9003<\/span>
<\/span><\/span>cgi<\/span> =<\/span> \/www\/cgi-bin\/upload.cgi<\/span>
<\/span><\/span>cgi-timeout<\/span> =<\/span> 30<\/span>
<\/span><\/span><\/code><\/pre>upload.cgi 漏洞点<\/h3>
使用 IDA 分析 \/www\/cgi-bin\/upload.cgi<\/code> 文件：<\/p>


主要漏洞函数 sub_115EC<\/code> 中：<\/p>
system("mv -f a2 v8\/a3"<\/span>);
<\/span><\/span><\/code><\/pre>其中：<\/p>

a2<\/code> 可控制为上传文件路径<\/li>
v8<\/code> 可控制为 \/tmp\/www<\/code><\/li>
a3<\/code> 可控制为 login.html<\/code><\/li>
<\/ul>
<\/li>

通过构造参数，可实现：<\/p>
mv -f \/tmp\/upload\/xxx \/www\/login.html
<\/span><\/span><\/code><\/pre>从而篡改路由器登录界面<\/p>
<\/li>
<\/ol>
漏洞复现步骤<\/h2>
1. 准备环境<\/h3>


将修改过的 upload.cgi<\/code> 和 gdbserver<\/code> 上传到 QEMU 虚拟机：<\/p>
scp upload.cgi root@<QEMU_IP>:\/root\/rootfs\/www\/cgi-bin\/
<\/span><\/span>scp gdbserver-7.7.1-armel-eabi5-v1-sysv root@<QEMU_IP>:\/root\/
<\/span><\/span><\/code><\/pre><\/li>

修改权限：<\/p>
chmod +x \/root\/gdbserver-7.7.1-armel-eabi5-v1-sysv
<\/span><\/span><\/code><\/pre><\/li>

修改 upload.ini<\/code> 配置：<\/p>
nano \/etc\/uwsgi\/upload.ini
<\/span><\/span><\/code><\/pre>将 cgi-timeout<\/code> 值增大（如改为 300）<\/p>
<\/li>
<\/ol>
2. 调试准备<\/h3>


启动 gdbserver：<\/p>
\/root\/gdbserver-7.7.1-armel-eabi5-v1-sysv :1234 \/www\/cgi-bin\/upload.cgi
<\/span><\/span><\/code><\/pre><\/li>

在物理机中创建调试脚本 mygdb.sh<\/code>：<\/p>
target remote <QEMU_IP>:1234
<\/span><\/span>file upload.cgi
<\/span><\/span>set architecture arm
<\/span><\/span>b *0x115EC
<\/span><\/span>b *0x11610
<\/span><\/span>b *0x11618
<\/span><\/span>b *0x1161C
<\/span><\/span>b *0x11620
<\/span><\/span>b *0x11624
<\/span><\/span>b *0x11628
<\/span><\/span>b *0x1162C
<\/span><\/span>b *0x11630
<\/span><\/span>b *0x11634
<\/span><\/span>b *0x11638
<\/span><\/span>b *0x1163C
<\/span><\/span>b *0x11640
<\/span><\/span>b *0x11644
<\/span><\/span>b *0x11648
<\/span><\/span>b *0x1164C
<\/span><\/span>b *0x11650
<\/span><\/span>b *0x11654
<\/span><\/span>b *0x11658
<\/span><\/span>b *0x1165C
<\/span><\/span>b *0x11660
<\/span><\/span>b *0x11664
<\/span><\/span>b *0x11668
<\/span><\/span>b *0x1166C
<\/span><\/span>b *0x11670
<\/span><\/span>b *0x11674
<\/span><\/span>b *0x11678
<\/span><\/span>b *0x1167C
<\/span><\/span>b *0x11680
<\/span><\/span>b *0x11684
<\/span><\/span>b *0x11688
<\/span><\/span>b *0x1168C
<\/span><\/span>b *0x11690
<\/span><\/span>b *0x11694
<\/span><\/span>b *0x11698
<\/span><\/span>b *0x1169C
<\/span><\/span>b *0x116A0
<\/span><\/span>b *0x116A4
<\/span><\/span>b *0x116A8
<\/span><\/span>b *0x116AC
<\/span><\/span>b *0x116B0
<\/span><\/span>b *0x116B4
<\/span><\/span>b *0x116B8
<\/span><\/span>b *0x116BC
<\/span><\/span>b *0x116C0
<\/span><\/span>b *0x116C4
<\/span><\/span>b *0x116C8
<\/span><\/span>b *0x116CC
<\/span><\/span>b *0x116D0
<\/span><\/span>b *0x116D4
<\/span><\/span>b *0x116D8
<\/span><\/span>b *0x116DC
<\/span><\/span>b *0x116E0
<\/span><\/span>b *0x116E4
<\/span><\/span>b *0x116E8
<\/span><\/span>b *0x116EC
<\/span><\/span>b *0x116F0
<\/span><\/span>b *0x116F4
<\/span><\/span>b *0x116F8
<\/span><\/span>b *0x116FC
<\/span><\/span>b *0x11700
<\/span><\/span>b *0x11704
<\/span><\/span>b *0x11708
<\/span><\/span>b *0x1170C
<\/span><\/span>b *0x11710
<\/span><\/span>b *0x11714
<\/span><\/span>b *0x11718
<\/span><\/span>b *0x1171C
<\/span><\/span>b *0x11720
<\/span><\/span>b *0x11724
<\/span><\/span>b *0x11728
<\/span><\/span>b *0x1172C
<\/span><\/span>b *0x11730
<\/span><\/span>b *0x11734
<\/span><\/span>b *0x11738
<\/span><\/span>b *0x1173C
<\/span><\/span>b *0x11740
<\/span><\/span>b *0x11744
<\/span><\/span>b *0x11748
<\/span><\/span>b *0x1174C
<\/span><\/span>b *0x11750
<\/span><\/span>b *0x11754
<\/span><\/span>b *0x11758
<\/span><\/span>b *0x1175C
<\/span><\/span>b *0x11760
<\/span><\/span>b *0x11764
<\/span><\/span>b *0x11768
<\/span><\/span>b *0x1176C
<\/span><\/span>b *0x11770
<\/span><\/span>b *0x11774
<\/span><\/span>b *0x11778
<\/span><\/span>b *0x1177C
<\/span><\/span>b *0x11780
<\/span><\/span>b *0x11784
<\/span><\/span>b *0x11788
<\/span><\/span>b *0x1178C
<\/span><\/span>b *0x11790
<\/span><\/span>b *0x11794
<\/span><\/span>b *0x11798
<\/span><\/span>b *0x1179C
<\/span><\/span>b *0x117A0
<\/span><\/span>b *0x117A4
<\/span><\/span>b *0x117A8
<\/span><\/span>b *0x117AC
<\/span><\/span>b *0x117B0
<\/span><\/span>b *0x117B4
<\/span><\/span>b *0x117B8
<\/span><\/span>b *0x117BC
<\/span><\/span>b *0x117C0
<\/span><\/span>b *0x117C4
<\/span><\/span>b *0x117C8
<\/span><\/span>b *0x117CC
<\/span><\/span>b *0x117D0
<\/span><\/span>b *0x117D4
<\/span><\/span>b *0x117D8
<\/span><\/span>b *0x117DC
<\/span><\/span>b *0x117E0
<\/span><\/span>b *0x117E4
<\/span><\/span>b *0x117E8
<\/span><\/span>b *0x117EC
<\/span><\/span>b *0x117F0
<\/span><\/span>b *0x117F4
<\/span><\/span>b *0x117F8
<\/span><\/span>b *0x117FC
<\/span><\/span>b *0x11800
<\/span><\/span>b *0x11804
<\/span><\/span>b *0x11808
<\/span><\/span>b *0x1180C
<\/span><\/span>b *0x11810
<\/span><\/span>b *0x11814
<\/span><\/span>b *0x11818
<\/span><\/span>b *0x1181C
<\/span><\/span>b *0x11820
<\/span><\/span>b *0x11824
<\/span><\/span>b *0x11828
<\/span><\/span>b *0x1182C
<\/span><\/span>b *0x11830
<\/span><\/span>b *0x11834
<\/span><\/span>b *0x11838
<\/span><\/span>b *0x1183C
<\/span><\/span>b *0x11840
<\/span><\/span>b *0x11844
<\/span><\/span>b *0x11848
<\/span><\/span>b *0x1184C
<\/span><\/span>b *0x11850
<\/span><\/span>b *0x11854
<\/span><\/span>b *0x11858
<\/span><\/span>b *0x1185C
<\/span><\/span>b *0x11860
<\/span><\/span>b *0x11864
<\/span><\/span>b *0x11868
<\/span><\/span>b *0x1186C
<\/span><\/span>b *0x11870
<\/span><\/span>b *0x11874
<\/span><\/span>b *0x11878
<\/span><\/span>b *0x1187C
<\/span><\/span>b *0x11880
<\/span><\/span>b *0x11884
<\/span><\/span>b *0x11888
<\/span><\/span>b *0x1188C
<\/span><\/span>b *0x11890
<\/span><\/span>b *0x11894
<\/span><\/span>b *0x11898
<\/span><\/span>b *0x1189C
<\/span><\/span>b *0x118A0
<\/span><\/span>b *0x118A4
<\/span><\/span>b *0x118A8
<\/span><\/span>b *0x118AC
<\/span><\/span>b *0x118B0
<\/span><\/span>b *0x118B4
<\/span><\/span>b *0x118B8
<\/span><\/span>b *0x118BC
<\/span><\/span>b *0x118C0
<\/span><\/span>b *0x118C4
<\/span><\/span>b *0x118C8
<\/span><\/span>b *0x118CC
<\/span><\/span>b *0x118D0
<\/span><\/span>b *0x118D4
<\/span><\/span>b *0x118D8
<\/span><\/span>b *0x118DC
<\/span><\/span>b *0x118E0
<\/span><\/span>b *0x118E4
<\/span><\/span>b *0x118E8
<\/span><\/span>b *0x118EC
<\/span><\/span>b *0x118F0
<\/span><\/span>b *0x118F4
<\/span><\/span>b *0x118F8
<\/span><\/span>b *0x118FC
<\/span><\/span>b *0x11900
<\/span><\/span>b *0x11904
<\/span><\/span>b *0x11908
<\/span><\/span>b *0x1190C
<\/span><\/span>b *0x11910
<\/span><\/span>b *0x11914
<\/span><\/span>b *0x11918
<\/span><\/span>b *0x1191C
<\/span><\/span>b *0x11920
<\/span><\/span>b *0x11924
<\/span><\/span>b *0x11928
<\/span><\/span>b *0x1192C
<\/span><\/span>b *0x11930
<\/span><\/span>b *0x11934
<\/span><\/span>b *0x11938
<\/span><\/span>b *0x1193C
<\/span><\/span>b *0x11940
<\/span><\/span>b *0x11944
<\/span><\/span>b *0x11948
<\/span><\/span>b *0x1194C
<\/span><\/span>b *0x11950
<\/span><\/span>b *0x11954
<\/span><\/span>b *0x11958
<\/span><\/span>b *0x1195C
<\/span><\/span>b *0x11960
<\/span><\/span>b *0x11964
<\/span><\/span>b *0x11968
<\/span><\/span>b *0x1196C
<\/span><\/span>b *0x11970
<\/span><\/span>b *0x11974
<\/span><\/span>b *0x11978
<\/span><\/span>b *0x1197C
<\/span><\/span>b *0x11980
<\/span><\/span>b *0x11984
<\/span><\/span>b *0x11988
<\/span><\/span>b *0x1198C
<\/span><\/span>b *0x11990
<\/span><\/span>b *0x11994
<\/span><\/span>b *0x11998
<\/span><\/span>b *0x1199C
<\/span><\/span>b *0x119A0
<\/span><\/span>b *0x119A4
<\/span><\/span>b *0x119A8
<\/span><\/span>b *0x119AC
<\/span><\/span>b *0x119B0
<\/span><\/span>b *0x119B4
<\/span><\/span>b *0x119B8
<\/span><\/span>b *0x119BC
<\/span><\/span>b *0x119C0
<\/span><\/span>b *0x119C4
<\/span><\/span>b *0x119C8
<\/span><\/span>b *0x119CC
<\/span><\/span>b *0x119D0
<\/span><\/span>b *0x119D4
<\/span><\/span>b *0x119D8
<\/span><\/span>b *0x119DC
<\/span><\/span>b *0x119E0
<\/span><\/span>b *0x119E4
<\/span><\/span>b *0x119E8
<\/span><\/span>b *0x119EC
<\/span><\/span>b *0x119F0
<\/span><\/span>b *0x119F4
<\/span><\/span>b *0x119F8
<\/span><\/span>b *0x119FC
<\/span><\/span>b *0x11A00
<\/span><\/span>b *0x11A04
<\/span><\/span>b *0x11A08
<\/span><\/span>b *0x11A0C
<\/span><\/span>b *0x11A10
<\/span><\/span>b *0x11A14
<\/span><\/span>b *0x11A18
<\/span><\/span>b *0x11A1C
<\/span><\/span>b *0x11A20
<\/span><\/span>b *0x11A24
<\/span><\/span>b *0x11A28
<\/span><\/span>b *0x11A2C
<\/span><\/span>b *0x11A30
<\/span><\/span>b *0x11A34
<\/span><\/span>b *0x11A38
<\/span><\/span>b *0x11A3C
<\/span><\/span>b *0x11A40
<\/span><\/span>b *0x11A44
<\/span><\/span>b *0x11A48
<\/span><\/span>b *0x11A4C
<\/span><\/span>b *0x11A50
<\/span><\/span>b *0x11A54
<\/span><\/span>b *0x11A58
<\/span><\/span>b *0x11A5C
<\/span><\/span>b *0x11A60
<\/span><\/span>b *0x11A64
<\/span><\/span>b *0x11A68
<\/span><\/span>b *0x11A6C
<\/span><\/span>b *0x11A70
<\/span><\/span>b *0x11A74
<\/span><\/span>b *0x11A78
<\/span><\/span>b *0x11A7C
<\/span><\/span>b *0x11A80
<\/span><\/span>b *0x11A84
<\/span><\/span>b *0x11A88
<\/span><\/span>b *0x11A8C
<\/span><\/span>b *0x11A90
<\/span><\/span>b *0x11A94
<\/span><\/span>b *0x11A98
<\/span><\/span>b *0x11A9C
<\/span><\/span>b *0x11AA0
<\/span><\/span>b *0x11AA4
<\/span><\/span>b *0x11AA8
<\/span><\/span>b *0x11AAC
<\/span><\/span>b *0x11AB0
<\/span><\/span>b *0x11AB4
<\/span><\/span>b *0x11AB8
<\/span><\/span>b *0x11ABC
<\/span><\/span>b *0x11AC0
<\/span><\/span>b *0x11AC4
<\/span><\/span>b *0x11AC8
<\/span><\/span>b *0x11ACC
<\/span><\/span>b *0x11AD0
<\/span><\/span>b *0x11AD4
<\/span><\/span>b *0x11AD8
<\/span><\/span>b *0x11ADC
<\/span><\/span>b *0x11AE0
<\/span><\/span>b *0x11AE4
<\/span><\/span>b *0x11AE8
<\/span><\/span>b *0x11AEC
<\/span><\/span>b *0x11AF0
<\/span><\/span>b *0x11AF4
<\/span><\/span>b *0x11AF8
<\/span><\/span>b *0x11AFC
<\/span><\/span>b *0x11B00
<\/span><\/span>b *0x11B04
<\/span><\/span>b *0x11B08
<\/span><\/span>b *0x11B0C
<\/span><\/span>b *0x11B10
<\/span><\/span>b *0x11B14
<\/span><\/span>b *0x11B18
<\/span><\/span>b *0x11B1C
<\/span><\/span>b *0x11B20
<\/span><\/span>b *0x11B24
<\/span><\/span>b *0x11B28
<\/span><\/span>b *0x11B2C
<\/span><\/span>b *0x11B30
<\/span><\/span>b *0x11B34
<\/span><\/span>b *0x11B38
<\/span><\/span>b *0x11B3C
<\/span><\/span>b *0x11B40
<\/span><\/span>b *0x11B44
<\/span><\/span>b *0x11B48
<\/span><\/span>b *0x11B4C
<\/span><\/span>b *0x11B50
<\/span><\/span>b *0x11B54
<\/span><\/span>b *0x11B58
<\/span><\/span>b *0x11B5C
<\/span><\/span>b *0x11B60
<\/span><\/span>b *0x11B64
<\/span><\/span>b *0x11B68
<\/span><\/span>b *0x11B6C
<\/span><\/span>b *0x11B70
<\/span><\/span>b *0x11B74
<\/span><\/span>b *0x11B78
<\/span><\/span>b *0x11B7C
<\/span><\/span>b *0x11B80
<\/span><\/span>b *0x11B84
<\/span><\/span>b *0x11B88
<\/span><\/span>b *0x11B8C
<\/span><\/span>b *0x11B90
<\/span><\/span>b *0x11B94
<\/span><\/span>b *0x11B98
<\/span><\/span>b *0x11B9C
<\/span><\/span>b *0x11BA0
<\/span><\/span>b *0x11BA4
<\/span><\/span>b *0x11BA8
<\/span><\/span>b *0x11BAC
<\/span><\/span>b *0x11BB0
<\/span><\/span>b *0x11BB4
<\/span><\/span>b *0x11BB8
<\/span><\/span>b *0x11BBC
<\/span><\/span>b *0x11BC0
<\/span><\/span>b *0x11BC4
<\/span><\/span>b *0x11BC8
<\/span><\/span>b *0x11BCC
<\/span><\/span>b *0x11BD0
<\/span><\/span>b *0x11BD4
<\/span><\/span>b *0x11BD8
<\/span><\/span>b *0x11BDC
<\/span><\/span>b *0x11BE0
<\/span><\/span>b *0x11BE4
<\/span><\/span>b *0x11BE8
<\/span><\/span>b *0x11BEC
<\/span><\/span>b *0x11BF0
<\/span><\/span>b *0x11BF4
<\/span><\/span>b *0x11BF8
<\/span><\/span>b *0x11BFC
<\/span><\/span>b *0x11C00
<\/span><\/span>b *0x11C04
<\/span><\/span>b *0x11C08
<\/span><\/span>b *0x11C0C
<\/span><\/span>b *0x11C10
<\/span><\/span>b *0x11C14
<\/span><\/span>b *0x11C18
<\/span><\/span>b *0x11C1C
<\/span><\/span>b *0x11C20
<\/span><\/span>b *0x11C24
<\/span><\/span>b *0x11C28
<\/span><\/span>b *0x11C2C
<\/span><\/span>b *0x11C30
<\/span><\/span>b *0x11C34
<\/span><\/span>b *0x11C38
<\/span><\/span>b *0x11C3C
<\/span><\/span>b *0x11C40
<\/span><\/span>b *0x11C44
<\/span><\/span>b *0x11C48
<\/span><\/span>b *0x11C4C
<\/span><\/span>b *0x11C50
<\/span><\/span>b *0x11C54
<\/span><\/span>b *0x11C58
<\/span><\/span>b *0x11C5C
<\/span><\/span>b *0x11C60
<\/span><\/span>b *0x11C64
<\/span><\/span>b *0x11C68
<\/span><\/span>b *0x11C6C
<\/span><\/span>b *0x11C70
<\/span><\/span>b *0x11C74
<\/span><\/span>b *0x11C78
<\/span><\/span>b *0x11C7C
<\/span><\/span>b *0x11C80
<\/span><\/span>b *0x11C84
<\/span><\/span>b *0x11C88
<\/span><\/span>b *0x11C8C
<\/span><\/span>b *0x11C90
<\/span><\/span>b *0x11C94
<\/span><\/span>b *0x11C98
<\/span><\/span>b *0x11C9C
<\/span><\/span>b *0x11CA0
<\/span><\/span>b *0x11CA4
<\/span><\/span>b *0x11CA8
<\/span><\/span>b *0x11CAC
<\/span><\/span>b *0x11CB0
<\/span><\/span>b *0x11CB4
<\/span><\/span>b *0x11CB8
<\/span><\/span>b *0x11CBC
<\/span><\/span>b *0x11CC0
<\/span><\/span>b *0x11CC4
<\/span><\/span>b *0x11CC8
<\/span><\/span>b *0x11CCC
<\/span><\/span>b *0x11CD0
<\/span><\/span>b *0x11CD4
<\/span><\/span>b *0x11CD8
<\/span><\/span>b *0x11CDC
<\/span><\/span>b *0x11CE0
<\/span><\/span>b *0x11CE4
<\/span><\/span>b *0x11CE8
<\/span><\/span>b *0x11CEC
<\/span><\/span>b *0x11CF0
<\/span><\/span>b *0x11CF4
<\/span><\/span>b *0x11CF8
<\/span><\/span>b *0x11CFC
<\/span><\/span>b *0x11D00
<\/span><\/span>b *0x11D04
<\/span><\/span>b *0x11D08
<\/span><\/span>b *0x11D0C
<\/span><\/span>b *0x11D10
<\/span><\/span>b *0x11D14
<\/span><\/span>b *0x11D18
<\/span><\/span>b *0x11D1C
<\/span><\/span>b *0x11D20
<\/span><\/span>b *0x11D24
<\/span><\/span>b *0x11D28
<\/span><\/span>b *0x11D2C
<\/span><\/span>b *0x11D30
<\/span><\/span>b *0x11D34
<\/span><\/span>b *0x11D38
<\/span><\/span>b *0x11D3C
<\/span><\/span>b *0x11D40
<\/span><\/span>b *0x11D44
<\/span><\/span>b *0x11D48
<\/span><\/span>b *0x11D4C
<\/span><\/span>b *0x11D50
<\/span><\/span>b *0x11D54
<\/span><\/span>b *0x11D58
<\/span><\/span>b *0x11D5C
<\/span><\/span>b *0x11D60
<\/span><\/span>b *0x11D64
<\/span><\/span>b *0x11D68
<\/span><\/span>b *0x11D6C
<\/span><\/span>b *0x11D70
<\/span><\/span>b *0x11D74
<\/span><\/span>b *0x11D78
<\/span><\/span>b *0x11D7C
<\/span><\/span>b *0x11D80
<\/span><\/span>b *0x11D84
<\/span><\/span>b *0x11D88
<\/span><\/span>b *0x11D8C
<\/span><\/span>b *0x11D90
<\/span><\/span>b *0x11D94
<\/span><\/span>b *0x11D98
<\/span><\/span>b *0x11D9C
<\/span><\/span>b *0x11DA0
<\/span><\/span>b *0x11DA4
<\/span><\/span>b *0x11DA8
<\/span><\/span>b *0x11DAC
<\/span><\/span>b *0x11DB0
<\/span><\/span>b *0x11DB4
<\/span><\/span>b *0x11DB8
<\/span><\/span>b *0x11DBC
<\/span><\/span>b *0x11DC0
<\/span><\/span>b *0x11DC4
<\/span><\/span>b *0x11DC8
<\/span><\/span>b *0x11DCC
<\/span><\/span>b *0x11DD0
<\/span><\/span>b *0x11DD4
<\/span><\/span>b *0x11DD8
<\/span><\/span>b *0x11DDC
<\/span><\/span>b *0x11DE0
<\/span><\/span>b *0x11DE4
<\/span><\/span>b *0x11DE8
<\/span><\/span>b *0x11DEC
<\/span><\/span>b *0x11DF0
<\/span><\/span>b *0x11DF4
<\/span><\/span>b *0x11DF8
<\/span><\/span>b *0x11DFC
<\/span><\/span>b *0x11E00
<\/span><\/span>b *0x11E04
<\/span><\/span>b *0x11E08
<\/span><\/span>b *0x11E0C
<\/span><\/span>b *0x11E10
<\/span><\/span>b *0x11E14
<\/span><\/span>b *0x11E18
<\/span><\/span>b *0x11E1C
<\/span><\/span>b *0x11E20
<\/span><\/span>b *0x11E24
<\/span><\/span>b *0x11E28
<\/span><\/span>b *0x11E2C
<\/span><\/span>b *0x11E30
<\/span><\/span>b *0x11E34
<\/span><\/span>b *0x11E38
<\/span><\/span>b *0x11E3C
<\/span><\/span>b *0x11E40
<\/span><\/span>b *0x11E44
<\/span><\/span>b *0x11E48
<\/span><\/span>b *0x11E4C
<\/span><\/span>b *0x11E50
<\/span><\/span>b *0x11E54
<\/span><\/span>b *0x11E58
<\/span><\/span>b *0x11E5C
<\/span><\/span>b *0x11E60
<\/span><\/span>b *0x11E64
<\/span><\/span>b *0x11E68
<\/span><\/span>b *0x11E6C
<\/span><\/span>b *0x11E70
<\/span><\/span>b *0x11E74
<\/span><\/span>b *0x11E78
<\/span><\/span>b *0x11E7C
<\/span><\/span>b *0x11E80
<\/span><\/span>b *0x11E84
<\/span><\/span>b *0
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>