This project is based on SAP_GW_RCE_exploit and specifically on SAPanonGWv2.py. It addresses the issue of retrieving output by the last packet by downgrading the SAPCPIC version from 2 to 1.
To use this exploit, PySAP must be modified to include the xpg_end definition in the SAPCPIC class (found in SAPRFC.py).
Add the following line at line 791 in SAPRFC.py:
ConditionalField(PacketField("xpg_end", None, SAPRFXPG_END), lambda pkt: pkt.cpic_RFC_f in ['SAPXPG_END_XPG']),
- Added a
--route(-r) option to allow exploitation through an SAP Router.