SAPCARve

A basic Python utility tool to manipulate SAP's SAR archive. It was developed when I found and exploited CVE-2024-47595.

Content of the repository:

• SAPCARve.py is the utility tool
  • Requires the Kaitai runtime library from https://doc.kaitai.io/serialization.html
• sar.ksy is the Kaitai structure of SAR archives based on https://github.com/OWASP/pysap/blob/master/pysap/SAPCAR.py
• sar.py is the compiled Kaitait structure using the serialization feature https://doc.kaitai.io/serialization.html
  • Using kaitai-struct-compiler --read-write -t python sar.ksy
• tests/ contains an example of simple SAR archive
• pysapcompress/ contains the code from https://github.com/OWASP/pysap/tree/master/pysapcompress ported to Python 3

Installation (requires python3-dev and build-essential to compile pysapcompress):

$ python3 setup.py develop --user

Examples

List the content of a SAR archive (default action is to list):

$ python3 SAPCARve.py ./tests/simple_test.sar
SAR archive version: 2.01
Number of files: 2
        0: -rwxrwxrwx 7         foobar.txt
        1: -rwxrwxrwx 14        hello_world.txt

Extracting the content of the first file and printing it to the console:

$ python3 SAPCARve.py ./tests/simple_test.sar extract 0
b'foobar\n'

Extracting the second file and storing it in 'extracted.txt':

$ python3 SAPCARve.py ./tests/simple_test.sar extract 1 extracted.txt
$ cat extracted.txt
Hello, World!

Renaming the file 'hello_world.txt' to 'new_name.txt' inside the archive:

$ python3 SAPCARve.py ./tests/simple_test.sar rename 1 new_name.txt
SAR archive version: 2.01
Number of files: 2
        0: -rwxrwxrwx 7         foobar.txt
        1: -rwxrwxrwx 14        new_name.txt

Swapping blocks inside the archive:

$ python3 SAPCARve.py ./tests/simple_test.sar swap 0 1
SAR archive version: 2.01
Number of files: 2
        0: -rwxrwxrwx 14        hello_world.txt
        1: -rwxrwxrwx 7         foobar.txt

Adding the file 'sar.ksy' to the archive:

$ python3 SAPCARve.py ./tests/simple_test.sar add file sar.ksy
SAR archive version: 2.01
Number of files: 3
        0: -rwxrwxrwx 7         foobar.txt
        1: -rwxrwxrwx 14        hello_world.txt
        2: -rwxrwxrwx 2139      sar.ksy

Usage

$ python3 SAPCARve.py -h
usage: SAPCARve.py [-h] sar {list,extract,add,delete,swap,rename,chmod,merge} ...

SAPCAR manipulation tool

positional arguments:
  sar                   Path to the .sar (or .car) archive
  {list,extract,add,delete,swap,rename,chmod,merge}
    list                List content of the archive
    extract             Extract a file from the archive
    add                 Add a file/symlink/directory to the archive (file, sym, dir respectively)
    delete              Delete a block inside the archive
    swap                Swap two blocks inside the archive
    rename              Rename a file inside the archive
    chmod               Change the permission of a file inside the archive
    merge               Merge two SAR archives by appending blocks from one to the other

options:
  -h, --help            show this help message and exit