Visual Studio Code (VS Code) is a widely used, popular, and open-source code editor developed by Microsoft. Its extensions are add-ons that enhance VS Code's functionality, allowing developers to tailor their workspace to their specific needs. However, these extensions can be exploited by attackers to gain complete access to your system. This guide will demonstrate how attackers can leverage malicious VS Code extensions to establish a reverse shell and gain control of your machine.
The URI format in the Visual Studio market place is:
vscode://PublisherId.ExtensionName
For example, based on the configuration in config.json, if the PublisherId (extensionId) is Zeron-CySec and the ExtensionName (extensionDisplayName) is ZeronCySec, the URI to be sent to the victim would be:
vscode://Zeron-CySec.ZeronCySec
- Ensure
Node.js, npm, yo, and generator-codeare installed on the attacker's machine. You can install all of these with a single command:
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash && source ~/.bashrc && nvm install node && npm install -g yo generator-code
- Clone the repository.
git clone https://github.com/securezeron/VsCodeExtLure
cd VsCodeExtLure
- Make necessary adjustments in the config.json file
nano config.json
- Execute the VsCodeLure.sh script
chmod +x VsCodeLure.sh
bash VsCodeExtLure/VsCodeLure.sh
Generator.mov
Uploading To Visual Studio market place:
Scenario1.mov
Scenario2.mov
A huge thanks to MDSec for their excellent blog on initial access leveraging VS Code extensions.