honoring route in aux modules

[mmiller at hick.org (mmiller at hick.org)]

On Mon, Apr 23, 2007 at 09:54:56PM -0400, j0hnny wrote:
> Hey all!
>
> First post, so be extra kind. =) Anyhow, I'm working on getting pivot
> stuff to work, and I've had great luck with routing exploit modules
> through "route", but no luck in getting aux modules to ehhh... route
> through route.
>
> For my testing, my payload is windows/meterpreter/reverse_tcp fired
> through windows/browser/ms06_013_createtextrange. My target is natted
> on a 10.8.1.0 net. He hits up the MSF url, meterpreter loads, I
> interact with the session and add a route for 10.8.1.0 through that
> session.
>
> As I said, any further exploit module targeting the 10.8.1 net routes
> through the session as expected. Aux modules, like sweep_udp ignore
> the route and fail looking for 10.8.1 on my local net.

At the moment this is a limitation of meterpreter's pivoting.  It
doesn't currently support pivoting UDP traffic.  It only supports
pivoting outbound TCP connections.  Perhaps if the stars align and time,
motivation, and interest all coincide, I might toss support in there :)
With that said, if anyone is interested in taking a look at adding
support for this in the meantime, I can point you to the various
locations where code changes would need to be made.  Be forewarned,
though, that it's a non-trivial change :)

If you run into problems with aux modules that establish TCP
connections, definitely let us know as that shouldn't be the case (with
exception of things like nmap, of course).