Fixes #4561 - ensures that the declared interface is preferred over LHOST, and makes it possible to specify a device to capture_sendto().

Also makes should_arp?() logic a little easier to follow using an if instead of an unless.




git-svn-id: file:///home/svn/framework3/trunk@12673 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/core/exploit/capture.rb

@@ -214,10 +214,11 @@ module Exploit::Capture
 	# a payload and a destination address. To send to the broadcast address, set bcast
 	# to true (this will guarantee that packets will be sent even if ARP doesn't work
 	# out).
-	def capture_sendto(payload="", dhost=nil, bcast=false)
+	def capture_sendto(payload="", dhost=nil, bcast=false, dev=nil)
 		raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" unless self.capture
 		raise RuntimeError, "Must specify a host to sendto" unless dhost
-		dst_mac,src_mac = lookup_eth(dhost)
+		dev ||= datastore['INTERFACE']
+		dst_mac,src_mac = lookup_eth(dhost,dev)
 		if dst_mac == nil and not bcast
 			return false
 		end
@@ -287,10 +288,10 @@ module Exploit::Capture
 		end
 
 		src_mac = self.arp_cache[Rex::Socket.source_address(addr)]
-		unless should_arp?(addr)
-			dst_mac = self.arp_cache[:gateway]
-		else
+		if should_arp?(addr)
 			dst_mac = self.arp_cache[addr] || arp(addr)
+		else
+			dst_mac = self.arp_cache[:gateway]
 		end
 
 		self.dst_cache[addr] = [dst_mac,src_mac]
@@ -351,12 +352,12 @@ module Exploit::Capture
 		end
 	end
 
-	def arp_packet(target_ip,source_ip)
+	def arp_packet(target_ip=nil,source_ip=nil)
 		n = Racket::Racket.new
 		n.l3 = Racket::L3::ARP.new
 		n.l3.opcode = 1
 		n.l3.tpa = target_ip || datastore['RHOST']
-		n.l3.spa = datastore['LHOST'] || source_ip
+		n.l3.spa = source_ip || datastore['LHOST'] 
 		my_eth = self.arp_cache[Rex::Socket.source_address(target_ip)]
 		n.l3.sha = my_eth || "00:00:00:00:00:00"
 		return n