This is a RCE bluetooth vulnerability on Android 8.0 and 9.0
The test python scripts in the folder cve-2020-0022 are from https://insinuator.net/2020/04/cve-2020-0022-an-android-8-0-9-0-bluetooth-zero-click-rce-bluefrag/. The original download hyperlink is https://insinuator.net/wp-content/uploads/2020/04/cve_2020_0022_export.tar-1.gz
Other crash script refers to https://cloud.tencent.com/developer/article/1590513 and https://github.com/leommxj/cve-2020-0022
Dive into the analysis and exploitation of BlueFrag CVE-2020-0022 for Android 8.0 and 9.0.
At the end of April 2020, insinuator posted their new research blog about a Bluetooth RCE vulnerability CVE-2020-0022 on Android 8.0 and 9.0. The author gave a detailed analysis and some details about how to exploit, as well as test python scripts. Regarding the exploit, the author didn’t reveal the ROP chain in his post, just left the reader to finish it alone. In this post, I provide a dive into the analysis of this bug, and detail the exploitation by step-by-step debugging. In the end, I implemented the full ROP chain with 5 ROP gadgets by myself to complete the full exploit. The demo video is attached.
NOTE: The full exploitation script will be released soon.
Here is the demo video "BlueFrag: CVE-2020-0022 RCE Exploit For Android 8.0 - 9.0" https://www.youtube.com/watch?v=o-rNRBqx7_k