[mrguyorama]

For a moment I was excited, as I thought this might finally be an avenue to root my abandoned, older android phones, however, looks like the permissions given to the bluetooth service are not actually full scale root (which is reasonable of course).

I wonder whether it is still worth investigating?

[kbenson]

What you probably want is this combined with some privilege escalation technique. If you feel like doing the work, have at it.[1]

1: https://www.cvedetails.com/vendor/1224/Google.html

[mrguyorama]

If I already had a working privilege escalation strategy, wouldn't I just be able to run that from a terminal emulator program on the phone? Or using an adb shell? My problem is exactly that there is no privilege escalation vulnerability in my version of the OS (that I know of)

[language]

I think DirtyCOW (CVE-2016-5195) had been dormant in the kernel for a long time. If I remember correctly the PoC demonstrated writing on root-owned files. Might be relevant.

https://github.com/dirtycow/dirtycow.github.io/wiki/Vulnerab...

[kbenson]

Since there are 34 "Gain Priv" listed on that page for Android (many versions) in 2017, and well over 200 listed for 2016, I would imagine with those as a starting point it might not be too hard to look for likely candidates that have been weaponized (or have working proof of concept code) if you search around a bit. It's not exactly easy, but given the huge number of exploits to work with, it would probably yield something without too much work.

I did notice that the entries there include whether there's a known metasploit module, which none that I looked at had one shown there. I googled metasploit and android and found some video tutorial for hacking a Android phone using metasploit from early 2017[1], so maybe that will help you. In any case, good luck if you try.

1: https://www.youtube.com/watch?v=gfAE1xVBNdo