Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/misc/wol.rb
19813 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Udp

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'UDP Wake-On-Lan (WOL)',

14
        'Description' => %q{

15
          This module will turn on a remote machine with a network card that

16
          supports wake-on-lan (or MagicPacket).  In order to use this, you must

17
          know the machine's MAC address in advance.  The current default MAC

18
          address is just an example of how your input should look like.

19


20
          The password field is optional.  If present, it should be in this hex

21
          format: 001122334455, which is translated to "0x001122334455" in binary.

22
          Note that this should be either 4 or 6 bytes long.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [ 'sinn3r' ],

26
        'Notes' => {

27
          'Stability' => [CRASH_SAFE],

28
          'SideEffects' => [],

29
          'Reliability' => []

30
        }

31
      )

32
    )

33


34
    deregister_udp_options

35


36
    register_options(

37
      [

38
        OptString.new('MAC', [true, 'Specify a MAC address', '00:90:27:85:cf:01']),

39
        OptString.new('PASSWORD', [false, 'Specify a four or six-byte password']),

40
        OptBool.new('IPV6', [false, 'Use IPv6 broadcast', false])

41
      ]

42
    )

43
  end

44


45
  #

46
  # Convert the MAC option to binary format

47
  #

48
  def get_mac_addr

49
    mac = datastore['MAC']

50
    if mac !~ /^([0-9a-zA-Z]{2}:){5}[0-9a-zA-Z]{2}$/

51
      print_error('Invalid MAC address format')

52
      return nil

53
    end

54


55
    bin_mac = ''

56
    mac.split(':').each do |group|

57
      bin_mac << [group].pack('H*')

58
    end

59


60
    bin_mac

61
  end

62


63
  #

64
  # Supply a password to go with the WOL packet (SecureON)

65
  #

66
  def parse_password

67
    return '' if datastore['PASSWORD'].nil?

68


69
    dataset = [ datastore['PASSWORD'] ].pack('H*').unpack('C*')

70


71
    # According to Wireshark wiki, this must be either 4 or 6 bytes

72
    if (dataset.length == 4) || (dataset.length == 6)

73
      pass = ''

74
      dataset.each do |group|

75
        pass << group.to_i

76
      end

77


78
      return pass

79
    else

80
      print_error("Bad password format or length: #{dataset.inspect}")

81
    end

82


83
    nil

84
  end

85


86
  def wol_rhost

87
    datastore['IPV6'] ? 'ff:ff:ff:ff:ff:ff' : '255.255.255.255'

88
  end

89


90
  def wol_rport

91
    9

92
  end

93


94
  def run

95
    # If the MAC is bad, no point to continue

96
    mac = get_mac_addr

97
    return if mac.nil?

98


99
    # If there's a password, use it

100
    pass = parse_password

101
    return if pass.nil?

102


103
    # Craft the WOL packet

104
    wol_pkt = "\xff" * 6 # Sync stream (magic packet)

105
    wol_pkt << mac * 16 # Mac address

106
    wol_pkt << pass if !pass.empty?

107


108
    # Send out the packet

109
    print_status('Sending WOL packet...')

110
    connect_udp(true, {

111
      'RHOST' => wol_rhost,

112
      'RPORT' => wol_rport

113
    })

114
    udp_sock.put(wol_pkt)

115
    disconnect_udp

116
  end

117
end

118


119
=begin

120
http://wiki.wireshark.org/WakeOnLAN

121


122
Test:

123
udp && eth.addr == ff:ff:ff:ff:ff:ff

124
=end

125


126