Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
*AllpicturesaretakenfromDr
StrangeLovemovieandotherInternets
 Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and to keep Purity Of
Essen...
Body Count's In the House: http://bit.ly/M6kS68
.. communication network protocols used for process or industrial
automation, building automation, substation automation,
...
let's google it a little bit!
 Old, slow, boring
 Google/Bing/Shodanhq/ERIPP
 New, fast, easy to automate
 ZMap, Masscan
 30C3 bandwidth
 Homebrew...
 Lot’s of new information coming up
 Modbus (502)
 http://nmap.org/nsedoc/scripts/modbus-discover.html
 http://scadast...
Country Devices
US 31211
DE 3793
IT 2956
BR 2461
GB 2282
CA 2276
KR 1785
SE 1345
ES 1341
NL 1312
FR 1171
TW 1126
CN 891
JP...
ftp
604
1%
http
49989
73%
Industrial
1612
2%
snmp
15253
23%
telnet
671
1%
dnp3, 155, 10%
iec104, 44, 3%
modbus, 532,
34%
s...
Tridium, 19490, 29%
NRG Systems, 11715,
17%
Lantronix, 6988,
10%
Moxa, 3949, 6%
Beck IPC, 3655, 5%
Generic, 2794, 4%
Schne...
― Google dorks
― Configurations scripts
― FS structure
― etc
Configuration backup
94 94 94 9c 9c 9c 9c 94 94 9e = 1234567890
Configuration backup
― a:CHIP.INI
― a:CHIP.INI
― a:AUTOEXEC.bat
― a:CHIP.INI
― a:AUTOEXEC.bat
― b:http -- SolarLog homedir ->
― a:CHIP.INI
― a:AUTOEXEC.bat
― b:http -- SolarLog homedir ->
― etc…
--snip--
Comment to PT-SOL-2014001:
The upload path has been changed. It is still possible to upload files, but they can't...
The Prodigy - One Love: http://bit.ly/1dEkKR8
PLC1 PLC2 PLC3
Some
networks
WinCC
Web-Client
WinCC
SCADA-Clients
WinCC
SCADA-Client
+Web-Server
WinCC
DataMonitor
WinCC
W...
WinCCExplorer.exe/PdlRt.exe
This is my
encryptionkey
Spot the Similarities
Popular HMI
Relatively new system
Platform independent
Custom webserver
Blind Guardian – Nightfall: http://bit.ly/LRDbLs
http://cvedetails.com for Apache HTTP Server
 strtok returns NULL if line = “GET nn”
 No check for return value
 No path filtration for fopen()
 Trust in input data: this time it is Content-length
 Mix up of size for memory allocation and size for copy
 Controlling size of allocated memory
 Size of overflowed buffer is limited – 0x19000 (with default
settings)
 Single t...
Please read RFC… Before GET / my webserver!
 SSA-654382 , SSA-456423
 Affected devices:
• Siemens S7-1200 PLC
• Siemens S7-1500 PLC
 CVSS Base Score: 8.3
Tested on S7-1200 CPU 1212C ACDCRly , 6ES7 212-1BD30-0XB0 , firmware V 2.2.0
PmzR9733Q8rG3LpwjCGZT9N/ocMAAQABAAKK1woAqsgAAAAAAAAAAIrXIUM=
uLiHXZUTy2GMgjr1KmgmcNN/ocMAAQACAAKK1woAqsgAAAAAAAAAAIrXIUM=
...
3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143
3e6cd1f7bdf743cac6dcba708c21994f
...
3e6cd1f7bdf743cac6dcba708c21994f - MD5 of ? (16 bytes)
d37fa1c3 - CONST (4 bytes)
0001 - user logout counter (2 bytes)
000...
3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143
3e6cd1f7bdf743cac6dcba708c21994f
...
SECRET is generates after PLC start by PRNG.
PRNG is a little bit harder than standard C PRNG.
SEED in {0x0000 , 0xFFFF}
I...
What about SEED ?
SEED very often depends on time value
SEED = PLC START TIME + 320
320 by practical way: secret generates...
PLC START TIME = CURRENT TIME – UPTIME
Current time
Uptime
To generate cookie we should brute:
 Logout number (2 bytes, max 65535)
 Number of issued cookies (2 bytes, max 65535)
...
But if user (admin) not logged out properly then after 7 logins it is
not possible to login again
We should restart PLC or...
We can minimize logout and issued cookies counters to 7.
To generate cookie we should brute:
 Logout number (2 bytes, max...
Exploitation dependences:
 >= 1 success logins to PLC after last restart
 SNMP enabled and known read community string (...
CVE Timeline:
End of July 2013 – vulnerability discovered
5 August 2013 – vendor notified
20 March 2014 – patch released, ...
<13.01.2013
In S7 PLC private/public community string for SNMP protocol can't be changed …
>06.02.2013
… you cannot change...
PROFINET Discovery and basic Configuration Protocol (PN-DCP)
The Discovery and Basic Configuration Protocol DCP is a proto...
http://www.felser.ch/download/FE-TR-0604.pdf
http://scadastrangelove.blogspot.com/2013/05/scada-strangelove-positive-hack-...
“An attacker could could cause to go to into defect mode
if specially crafted PROFINET packets are sent to the
device. A c...
Industrial
network
Corp
network
An additional cyber security layer to
Experion's™ High Security Network
Architecture, the Experion™ Control
Firewall, furt...
 Kiosk mode
 Restricting access to
 OS functions
 Application functions
 Physical ports
 Drives
 Phones/Tablets
 Hot keys
 “Open”, “Save”, “Import”/”Export”
 Help (MS HLP)
 Go-go hcp::
 URI
 Windows
 File:, Shell:, Telnet:, LDA...
― Sensors and actuators are gateways to industrial
networks
• http://files.pepperl-fuchs.com/selector_files/navi/productIn...
Firewall
SCADA/DCS server
HMI
Engineer station
PLC
Historian server
OPC server
Firewall
SCADA/DCS server
HMI
Engineer station
PLC
Historian server
OPC server
 More than 40 various binar vulnerabilities
(from previous PHDays)
 Half of them are easy exploitable stack based
buffer...
 No input validation
 read is interface for recv()
 Static buffers
 read is interface for recv()
 Unsafe string functions
 Use of input data for internal logic
 “cb” is buffer size
PLC RTU…
IEC 60870-5-104…
TNTScanner.exe
ABB PGP Components
IPC
*http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/[MS-MAIL].pdf
«Also, because the Remote...
…responsible disclosure
 How to load 100% CPU of critical energetic’s SCADA system
and drop all connections?
 May be common routine:
 select() ...
 Use MSG_PEEK
 Wait for no less than
16 bytes
 Don’t accept anything
smaller
 Because
the bigger - the better
 After ...
 Regex
# grep recv <decompiled bin function>
ret = recv(s, buf, buf_len, flags)
# grep ‘buf|buf_len’ <decompiled bin func...
 7 verified RCE vulnerabilities
 4 verified DoS vulnerabilities (all NPD)
 Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and to keep Purity Of
Essen...
*AllpicturesaretakenfromDr
StrangeLovemovieandotherInternets
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
Upcoming SlideShare
Loading in …5
×

SCADA Strangelove: Hacking in the Name

3,315 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

SCADA Strangelove: Hacking in the Name

  1. 1. *AllpicturesaretakenfromDr StrangeLovemovieandotherInternets
  2. 2.  Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Gleb Gritsai Denis Baranov Roman Ilin Ilya Karpov Sergey Bobrov Artem Chaykin Yuriy Dyachenko Sergey Drozdov Dmitry Efanov Yuri Goltsev Vladimir Kochetkov Andrey Medov Sergey Scherbel Timur Yunusov Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin Roman Ilin Alexander Tlyapov Evgeny Ermakov Alexey Osipov Kirill Nesterov
  3. 3. Body Count's In the House: http://bit.ly/M6kS68
  4. 4. .. communication network protocols used for process or industrial automation, building automation, substation automation, automatic meter reading and vehicle automation applications… (c) wiki http://en.wikipedia.org/wiki/List_of_automation_protocols
  5. 5. let's google it a little bit!
  6. 6.  Old, slow, boring  Google/Bing/Shodanhq/ERIPP  New, fast, easy to automate  ZMap, Masscan  30C3 bandwidth  Homebrew scans of industrial ports  Rapid7 Project Sonar  Internet Census (not so new)  + fast full-text search engines (Elastic Search)
  7. 7.  Lot’s of new information coming up  Modbus (502)  http://nmap.org/nsedoc/scripts/modbus-discover.html  http://scadastrangelove.blogspot.com/2012/11/plcscan.html  DNP3 (20000)  https://code.google.com/p/scadascan/  http://sourceforge.net/projects/dnp/  IEC104 (2404)  http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html  MMS (102)  http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html  S7 (102)  http://scadastrangelove.blogspot.com/2012/11/plcscan.html  Profinet DCP  http://scadastrangelove.blogspot.com/2013/05/scada-strangelove-positive-hack-days.html  But some protocols still not researched [kudos to Alexander Timorin @atimorin]
  8. 8. Country Devices US 31211 DE 3793 IT 2956 BR 2461 GB 2282 CA 2276 KR 1785 SE 1345 ES 1341 NL 1312 FR 1171 TW 1126 CN 891 JP 885
  9. 9. ftp 604 1% http 49989 73% Industrial 1612 2% snmp 15253 23% telnet 671 1% dnp3, 155, 10% iec104, 44, 3% modbus, 532, 34% s7, 827, 53%
  10. 10. Tridium, 19490, 29% NRG Systems, 11715, 17% Lantronix, 6988, 10% Moxa, 3949, 6% Beck IPC, 3655, 5% Generic, 2794, 4% Schneider Electric, 2458, 4% Rabbit, 1958, 3% SAP, 1639, 2% Westermo, 1526, 2% Echelon, 1395, 2% Siemens, 1322, 2% TAC AB, 1321, 2% Digi, 988, 1% DATACOM, 945, 1% Other, 5933, 9% Vendor Devices Tridium 19490 NRG Systems 11715 Lantronix 6988 Moxa 3949 Beck IPC 3655 Generic 2794 Schneider Electric 2458 Rabbit 1958 SAP 1639 Westermo 1526 Echelon 1395 Siemens 1322 TAC AB 1321 Digi 988 DATACOM 945 Other 5933
  11. 11. ― Google dorks ― Configurations scripts ― FS structure ― etc
  12. 12. Configuration backup
  13. 13. 94 94 94 9c 9c 9c 9c 94 94 9e = 1234567890 Configuration backup
  14. 14. ― a:CHIP.INI
  15. 15. ― a:CHIP.INI ― a:AUTOEXEC.bat
  16. 16. ― a:CHIP.INI ― a:AUTOEXEC.bat ― b:http -- SolarLog homedir ->
  17. 17. ― a:CHIP.INI ― a:AUTOEXEC.bat ― b:http -- SolarLog homedir -> ― etc…
  18. 18. --snip-- Comment to PT-SOL-2014001: The upload path has been changed. It is still possible to upload files, but they can't overwrite system critical parts any more. Comment to PT-SOL-2014002: The system backup is created in a randomly chosen path an deleted afterwards. Therefore an unauthorized access is made much more difficult and very unlikely. Second comment to PT-SOL-2014002: In order to compensate the weak encryption in the configuration file, the whole configuration file is now encrypted via the new HTTP transmission. --snip--
  19. 19. The Prodigy - One Love: http://bit.ly/1dEkKR8
  20. 20. PLC1 PLC2 PLC3 Some networks WinCC Web-Client WinCC SCADA-Clients WinCC SCADA-Client +Web-Server WinCC DataMonitor WinCC Web-Client WinCC DataMonitor WinCC Servers LAN PROFINET PROFIBUS Internet, corp lan, vpn’s Engineering station (TIA portal/PCS7)
  21. 21. WinCCExplorer.exe/PdlRt.exe
  22. 22. This is my encryptionkey
  23. 23. Spot the Similarities
  24. 24. Popular HMI Relatively new system Platform independent Custom webserver Blind Guardian – Nightfall: http://bit.ly/LRDbLs
  25. 25. http://cvedetails.com for Apache HTTP Server
  26. 26.  strtok returns NULL if line = “GET nn”  No check for return value
  27. 27.  No path filtration for fopen()
  28. 28.  Trust in input data: this time it is Content-length  Mix up of size for memory allocation and size for copy
  29. 29.  Controlling size of allocated memory  Size of overflowed buffer is limited – 0x19000 (with default settings)  Single thread  Some no ASLR modules – enough to build ROP  Demo
  30. 30. Please read RFC… Before GET / my webserver!
  31. 31.  SSA-654382 , SSA-456423  Affected devices: • Siemens S7-1200 PLC • Siemens S7-1500 PLC  CVSS Base Score: 8.3
  32. 32. Tested on S7-1200 CPU 1212C ACDCRly , 6ES7 212-1BD30-0XB0 , firmware V 2.2.0
  33. 33. PmzR9733Q8rG3LpwjCGZT9N/ocMAAQABAAKK1woAqsgAAAAAAAAAAIrXIUM= uLiHXZUTy2GMgjr1KmgmcNN/ocMAAQACAAKK1woAqsgAAAAAAAAAAIrXIUM= Mu/vgiIgtrxq0LVp26nkMtN/ocMAAQADAAKK1woAqsgAAAAAAAAAAIrXIUM= tjH6vtNWCfa+QZHPDtCnKdN/ocMAAgADAAKK1woAqsgAAAAAAAAAAIrXIUM= 3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143 b8b8875d9513cb618c823af52a682670d37fa1c30001000200028ad70a00aac800000000000000008ad72143 32efef822220b6bc6ad0b569dba9e432d37fa1c30001000300028ad70a00aac800000000000000008ad72143 b631fabed35609f6be4191cf0ed0a729d37fa1c30002000300028ad70a00aac800000000000000008ad72143
  34. 34. 3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143 3e6cd1f7bdf743cac6dcba708c21994f + d37fa1c30001000100028ad70a00aac800000000000000008ad72143 3e6cd1f7bdf743cac6dcba708c21994f - ? d37fa1c3 - ? 0001 - ? 0001 - ? 00028ad7 - ? 0a00aac8 - ? 00000000000000008ad72143 - ?
  35. 35. 3e6cd1f7bdf743cac6dcba708c21994f - MD5 of ? (16 bytes) d37fa1c3 - CONST (4 bytes) 0001 - user logout counter (2 bytes) 0001 - counter of issued cookies for this user (2 bytes) 00028ad7 - value that doesn’t matter (4 bytes) 0a00aac8 - user IP address (10.0.170.200) (4 bytes) 00000000000000008ad72143 - value that doesn’t matter (12 bytes) So, what about 3e6cd1f7bdf743cac6dcba708c21994f ???
  36. 36. 3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143 3e6cd1f7bdf743cac6dcba708c21994f MD5( NEXT 26 BYTES OF COOKIE + 16BYTES OF SECRET + 2 NULL BYTES) What is SECRET ?
  37. 37. SECRET is generates after PLC start by PRNG. PRNG is a little bit harder than standard C PRNG. SEED in {0x0000 , 0xFFFF} It’s too much for bruteforce (PLC so tender >_<)
  38. 38. What about SEED ? SEED very often depends on time value SEED = PLC START TIME + 320 320 by practical way: secret generates after ~ 3-4 seconds of PLC start using current time How to obtain PLC START TIME ?
  39. 39. PLC START TIME = CURRENT TIME – UPTIME Current time Uptime
  40. 40. To generate cookie we should brute:  Logout number (2 bytes, max 65535)  Number of issued cookies (2 bytes, max 65535)  Seed value (2 bytes, but max 100) Still too many values to bruteforce …
  41. 41. But if user (admin) not logged out properly then after 7 logins it is not possible to login again We should restart PLC or wait 30 minutes (cookie expire time)
  42. 42. We can minimize logout and issued cookies counters to 7. To generate cookie we should brute:  Logout number (2 bytes, max 7)  Number of issued cookies (2 bytes, max 7)  Seed value (2 bytes, but max 100)
  43. 43. Exploitation dependences:  >= 1 success logins to PLC after last restart  SNMP enabled and known read community string (but by default its “public” ) BUT IT DOES NOT NEED LOGIN AND PASSWORD !!!
  44. 44. CVE Timeline: End of July 2013 – vulnerability discovered 5 August 2013 – vendor notified 20 March 2014 – patch released, first public advisory
  45. 45. <13.01.2013 In S7 PLC private/public community string for SNMP protocol can't be changed … >06.02.2013 … you cannot change the SNMP community string … This issue has no effect on security, as only non- sensitive information can be changed via SNMP. … community strings changeable in TIA Portal v12.5. >05.08.2013 … vulnerabilities related to S7 1500 and S7 1200 PLC in attached file … including hardcoded SNMP. <22.10.2013 Hardcoded SNMP strings are in fact an issue … We might eventually migrate to SNMPv3 …
  46. 46. PROFINET Discovery and basic Configuration Protocol (PN-DCP) The Discovery and Basic Configuration Protocol DCP is a protocol definition within the PROFINET context. It is a Data Link Layer based protocol to configure station names and IP addresses. It is restricted to one subnet and mainly used in small and medium applications without an installed DHCP server. System of A Down- Attack: http://bit.ly/LRDkhX
  47. 47. http://www.felser.ch/download/FE-TR-0604.pdf http://scadastrangelove.blogspot.com/2013/05/scada-strangelove-positive-hack-days.html  MITM?!  Fuzzing?
  48. 48. “An attacker could could cause to go to into defect mode if specially crafted PROFINET packets are sent to the device. A cold restart is required to recover the system” What is “specially crafted profinet packets” ??? Just “set” request: set network ip, mask and gateway to all zeroes 0.0.0.0
  49. 49. Industrial network Corp network
  50. 50. An additional cyber security layer to Experion's™ High Security Network Architecture, the Experion™ Control Firewall, further protects the controller network against message flooding and denial of service attacks. Max Richter - Last Days: http://bit.ly/1jsCnvE
  51. 51.  Kiosk mode  Restricting access to  OS functions  Application functions  Physical ports  Drives  Phones/Tablets
  52. 52.  Hot keys  “Open”, “Save”, “Import”/”Export”  Help (MS HLP)  Go-go hcp::  URI  Windows  File:, Shell:, Telnet:, LDAP:  Applications  Quicktime:, Skype:, Play:  IE Image toolbar  iKAT  List of URI handlers  Filesystem functions
  53. 53. ― Sensors and actuators are gateways to industrial networks • http://files.pepperl-fuchs.com/selector_files/navi/productInfo/doct/tdoct1933b_eng.pdf
  54. 54. Firewall SCADA/DCS server HMI Engineer station PLC Historian server OPC server
  55. 55. Firewall SCADA/DCS server HMI Engineer station PLC Historian server OPC server
  56. 56.  More than 40 various binar vulnerabilities (from previous PHDays)  Half of them are easy exploitable stack based buffer overflows  Guess what, also no modern security (ASLR, DEP, …)  Vulnerabilities are typical for 90s
  57. 57.  No input validation  read is interface for recv()
  58. 58.  Static buffers  read is interface for recv()
  59. 59.  Unsafe string functions  Use of input data for internal logic
  60. 60.  “cb” is buffer size
  61. 61. PLC RTU… IEC 60870-5-104… TNTScanner.exe ABB PGP Components IPC
  62. 62. *http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/[MS-MAIL].pdf «Also, because the Remote Mailslot Protocol has no authentication, it is unsuitable for applications requiring a secure communication between the sender and receiver.»*
  63. 63. …responsible disclosure
  64. 64.  How to load 100% CPU of critical energetic’s SCADA system and drop all connections?  May be common routine:  select() … recv() … do_something()  Common routine will do!
  65. 65.  Use MSG_PEEK  Wait for no less than 16 bytes  Don’t accept anything smaller  Because the bigger - the better  After all threads gone ignore everything else
  66. 66.  Regex # grep recv <decompiled bin function> ret = recv(s, buf, buf_len, flags) # grep ‘buf|buf_len’ <decompiled bin function> ret = recv(s, buf2, buf[42], flags)  This not supposed to work in real world!
  67. 67.  7 verified RCE vulnerabilities  4 verified DoS vulnerabilities (all NPD)
  68. 68.  Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Gleb Gritsai Denis Baranov Roman Ilin Ilya Karpov Sergey Bobrov Artem Chaykin Yuriy Dyachenko Sergey Drozdov Dmitry Efanov Yuri Goltsev Vladimir Kochetkov Andrey Medov Sergey Scherbel Timur Yunusov Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin Roman Ilin Alexander Tlyapov Evgeny Ermakov Alexey Osipov Kirill Nesterov
  69. 69. *AllpicturesaretakenfromDr StrangeLovemovieandotherInternets

×