Skip to content

Fix incompatibility with ssl.wrap_socket() in newer python versions in payloads using it #21303

Open
jeanmtr wants to merge 6 commits intorapid7:masterfrom
jeanmtr:test-fix-ssl
Open

Fix incompatibility with ssl.wrap_socket() in newer python versions in payloads using it #21303
jeanmtr wants to merge 6 commits intorapid7:masterfrom
jeanmtr:test-fix-ssl

Conversation

@jeanmtr
Copy link
Copy Markdown
Contributor

@jeanmtr jeanmtr commented Apr 15, 2026
edited
Loading

Fixes #21301

Changes python/meterpreter/reverse_tcp_ssl, cmd/unix/reverse_python_ssl and python/shell_reverse_tcp_ssl to use SSLContext.wrap_socket() instead of ssl.wrap_socket(). However since the protocols that can be used in version 3.14 and 2.7.18 are not the same, i cannot use ssl.PROTOCOL_TLS_CLIENT for both. Instead, we check if ssl.PROTOCOL_TLS_CLIENT exists and if not, we use ssl.wrap_socket the old way. There is probably a better solution but i cannot find it. One other thing that could work is to use ssl.PROTOCOL_TLSv1_2 which existe both on 2.7.18 and on 3.14 (and in version in between) but it is marked as deprecated therefore it is not really future proof.

Verification

For cmd/unix/reverse_python_ssl

  • Generate ssl key and cert
  • Run openssl s_server -accept 4444 -cert server.crt -key server.key -quiet
  • Setup python env to test compatibility with different python versions (pyenv local [version])
  • Run msfvenom -p cmd/unix/reverse_python_ssl LHOST=[host to test]
  • Run the payload
  • Verify if the reverse shell is working
  • Repeat the process with other python versions

For python/shell_reverse_tcp_ssl

  • Generate ssl key and cert
  • Run openssl s_server -accept 4444 -cert server.crt -key server.key -quiet
  • Setup python env to test compatibility with different python versions (pyenv local [version])
  • Run msfvenom -p cmd/unix/reverse_python_ssl LHOST=[host to test]
  • Run python -c "[payload]"
  • Verify if the reverse shell is working
  • Repeat the process with other python versions

For python/meterpreter/reverse_tcp_ssl

(on the host)

  • [] Run msfconsole
  • [] use exploit/multi/handler
  • [] set payload python/meterpreter/reverse_tcp_ssl
  • [] set LHOST your_ip
  • [] set LPORT 4444
  • [] run

(on the attacked machine)

  • Setup python env to test compatibility with different python versions (pyenv local [version])
  • Run msfvenom -p cmd/unix/reverse_python_ssl LHOST=[host to test]
  • Run python -c "[payload]"
  • Verify if the reverse shell is working
  • Repeat the process with other python versions

@VISHVAJITH-REDDY VISHVAJITH-REDDY mentioned this pull request Apr 21, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

cmd/unix/reverse_python_ssl Fails on Python 3.14

2 participants

@jeanmtr @smcintyre-r7