See the blog at https://parsiya.net/blog/2021-12-20-rce-in-visual-studio-codes-remote-wsl-for-fun-and-negative-profit.
Also https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43907.
npm install
.- Store
vsda.node
for your architecture in/routes/vsda.node
. - Run
npm start
or usectrl+shift+b
in VS Code. - Open
http://localhost:3000
and follow the instructions.
- Windows:
C:\Program Files\Microsoft VS Code\resources\app\node_modules.asar.unpacked\vsda\build\Release\vsda.node
. - Server (WSL):
~/.vscode-server/bin/{commit}/node_modules/vsda/build/Release/vsda.node
.
This probably only works locally because we need to connect directly to the Inspector instance.
- Edit
/public/javascripts/nem.js
and search forZZZ
. - Uncomment the next two lines (see below).
// in nem.js - uncomment the two lines after ZZZ`
// ZZZ
// const res = await (await postJSON('/inspect', packet.data)).arrayBuffer();
// showMessage(bufferToString(res));
- Edit
/routes/sign.js
and search forZZZ
. - Modify the IP address in
popCalc
.
// ZZZ Change the IP address here.
popCalc('192.168.1.130', port);
MIT, see LICENSE.