Share
## https://sploitus.com/exploit?id=9298B3CC-CF17-56D9-939B-F2479B4E168A
# Cube LD_800 temporary root shell

This tool is specific to the tested LD_800 build:

- Android 8.1.0 / API 27
- kernel `4.9.82-perf`
- MSM8953
- vulnerable Binder driver (CVE-2019-2215)

## Interactive use

With network ADB at `192.168.0.40:5555`, run:

```bat
TempRoot.bat
```

For another ADB serial or address:

```bat
TempRoot.bat 192.168.0.40:5555
```

At the `cube-root#` prompt, enter ordinary Android shell commands. Use `exit`
to end the session. The batch file removes the temporary on-device binary
after the session exits.

## Manual use

```text
adb -s 192.168.0.40:5555 push cube_temp_root /data/local/tmp/cube_temp_root
adb -s 192.168.0.40:5555 shell chmod 755 /data/local/tmp/cube_temp_root
adb -s 192.168.0.40:5555 shell -t /data/local/tmp/cube_temp_root root-shell
```

For a single non-interactive command:

```text
adb -s 192.168.0.40:5555 shell /data/local/tmp/cube_temp_root root-command id
```

## Security model and limitations

The shell has UID/GID 0 and full Linux capabilities, but deliberately retains
the `u:r:shell:s0` SELinux domain. SELinux stays Enforcing, so accesses denied
to the normal shell domain can still fail even with UID 0. The separate
validated aboot dumper uses a narrowly scoped PID 1 credential handoff for
block-device reads.

The tool dynamically locates `task_struct`, the task list, private credentials,
and PID 1 credentials. It restores the child credential bytes before exiting.
It does not modify any flash partition or install persistent root.

Always leave the prompt with `exit`. A failed UAF race can reboot the device.