jheysel-r7
commented
1 month ago Hey @h00die, thanks for the module. Testing worked great on Windows 10, no issues.
I was experimenting with getting this working on Linux. I saw lots of the same errors I'm sure you ran into:
The terminal process failed to launch: A native exception occurred during launch (args as a string is not supported on unix.). etc.
I noticed on Linux, when you go to open a file, the 'Open File' window doesn't let you paste in a URL like it does on Windows - did you notice this as well? :
So if this were to work on Linux you would need to transfer the project.ipynb file manually to the target machine - while you're at it you could transfer a linux/x64/meterpreter/reverse_tcp payload to tmp and get this exploit to execute the payload in the context of the user running VSCode.
I got the exploit working on Linux using the above technique but the user experience isn't the greatest, having to transfer two files onto the target.
Do you think it'd be worth adding support to exploit Linux targets like that for sake of compatibility?
h00die
(I swear its Jupyter, not Jypiter but its spelled this way 5 times in https://github.com/google/security-research/security/advisories/GHSA-pw56-c55x-cm9m)
VSCode when opening an Jypiter notebook (.ipynb) file bypasses the trust model. On versions v1.4.0 - v1.71.1, its possible for the Jypiter notebook to embed HTML and javascript, which can then open new terminal windows within VSCode. Each of these new windows can then execute arbitrary code at startup.
During testing, the first open of the Jypiter notebook resulted in pop-ups displaying errors of unable to find the payload exe file. The second attempt at opening the Jypiter notebook would result in successful exeuction.
Successfully tested against VSCode 1.70.2 on Windows 10.
Verification
use modules/exploits/multi/misc/vscode_ipynb_remote_dev_execset lhost [ip]run