on Huawei Honor 4X

A company called Armis published a PoC of a family of RCE Bluetooth vulnerabilities (not only but here limited to Android). They called it BlueBorne.

The reason this exploit hasn't been seen in public use is that it requires information leak about the location of libraries in the victim's memory via the information leak vulnerability (CVE-2017-0785) since different phone models have different libraries due to compiling. With that information one can overcome the ASLR quite easily because there are no other methods of stack protection in use like a stack canary.

Be aware that on ARM code is compiled having one Byte offset after the function label due to different execution instruction sets offered on ARM chips, specifically "ARM mode" and "Thumb mode".

If you want debuggerd to suspend crashed processes so you can attach gdb, set the appropriate property:

adb shell setprop debug.debuggerd.wait_for_gdb true

adb shell setprop debug.db.uid 999999 At the end of the usual crash output, debuggerd provides instructions on how to connect gdb using the command: gdbclient PID https://source.android.com/devices/tech/debug/gdb

Make sure you have pybluez and pwntools installed: on Ubuntu (apt-get) execute the following commands:

sudo apt-get install bluetooth libbluetooth-dev
sudo pip install pybluez
sudo pip install pwntools

https://www.armis.com/blueborne/

https://github.com/ojasookert/CVE-2017-0785 for CVE-2017-0785 PoC (information leak vulnerability) https://github.com/ArmisSecurity/blueborne for the research and extensive code