From 20c948cf5028830066520a96130eecf498ea1f14 Mon Sep 17 00:00:00 2001
From: sjanusz-r7 <Simon_Janusz@rapid7.com>
Date: Thu, 18 Jan 2024 10:53:11 +0000
Subject: [PATCH] Get memory match length from buffer TLV length for Mettle

---
 modules/post/multi/gather/memory_search.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/post/multi/gather/memory_search.rb b/modules/post/multi/gather/memory_search.rb
index 670b94bd4b03..dfd00d4afddc 100644
--- a/modules/post/multi/gather/memory_search.rb
+++ b/modules/post/multi/gather/memory_search.rb
@@ -146,8 +146,10 @@ def print_result(result: nil)
     address_length = session.native_arch == ARCH_X64 ? 16 : 8
     result_group_tlvs.each do |result_group_tlv|
       match_address = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_MATCH_ADDR).value.to_s(16).upcase
-      match_length = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_MATCH_LEN).value
       match_buffer = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_MATCH_STR).value
+      # Mettle doesn't return this TLV. We can get the match length from the buffer instead.
+      match_length = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_MATCH_LEN)&.value
+      match_length ||= match_buffer.bytesize
       region_start_address = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_START_ADDR).value.to_s(16).upcase
       region_start_size = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_SECT_LEN).value.to_s(16).upcase