😈 `.pwnvscode` 📁

Automatically perform RCE when opened with vscode

How to use it?

Specify payload: ./build.sh '[YOUR_RCE_PAYLOAD]'
It will create the malicious .vscode config folder
Inject the malicious .vscode folder somewhere where the victim may open it with vscode
Spread it using Social Engineering, malicious commit, etc...
Wait

Test it!

Notes

Target developers using vscode (~50% of devs use it)
Not a vulnerability, rather a trick
If you know the path of the malicious .vscode folder, trigger RCE with the URL: vscode://file/C:\[path]\[to]\[project] (Phishing, open redirect, etc)
It is not the stealthest RCE of the world, but sometimes .vscode folder is not checked/changed by devs and can thus pass under the radar
Work w/ code on windows (WSL also)
- Does not seems to work on native linux
- Work on MacOS

Name		Name	Last commit message	Last commit date
Latest commit History 10 Commits
img		img
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
build.mac.sh		build.mac.sh
build.sh		build.sh
tasks.json.tpl		tasks.json.tpl

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

img

img

.gitignore

.gitignore

LICENSE

LICENSE

README.md

README.md

build.mac.sh

build.mac.sh

build.sh

build.sh

tasks.json.tpl

tasks.json.tpl

Repository files navigation

😈 `.pwnvscode` 📁

How to use it?

Test it!

Notes

About

Releases 1

Packages

Languages

License

ariary/.pwnvscode

Folders and files

Latest commit

History

Repository files navigation

😈 .pwnvscode 📁

How to use it?

Test it!

Notes

About

Topics

Resources

License

Stars

Watchers

Forks

Languages

😈 `.pwnvscode` 📁