Get memory match length from buffer TLV length for Mettle

rapid7 · Jan 18, 2024 · 20c948c · 20c948c
1 parent 821fa13
commit 20c948c
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/modules/post/multi/gather/memory_search.rb b/modules/post/multi/gather/memory_search.rb
@@ -146,8 +146,10 @@ def print_result(result: nil)
     address_length = session.native_arch == ARCH_X64 ? 16 : 8
     result_group_tlvs.each do |result_group_tlv|
       match_address = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_MATCH_ADDR).value.to_s(16).upcase
-      match_length = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_MATCH_LEN).value
       match_buffer = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_MATCH_STR).value
+      # Mettle doesn't return this TLV. We can get the match length from the buffer instead.
+      match_length = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_MATCH_LEN)&.value
+      match_length ||= match_buffer.bytesize
       region_start_address = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_START_ADDR).value.to_s(16).upcase
       region_start_size = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_SECT_LEN).value.to_s(16).upcase