Analysis updated 2026-06-24
Confirm in a lab VM whether a Linux distro is patched against PwnKit, Dirty Pipe, and newer CVEs.
Walk through every supported CVE module in order with the -any flag on a practice target.
Study packaged proof of concept code for kernel and Polkit privilege escalation bugs.
Run a post escalation command with -exec instead of dropping into a su shell.
| roadbicycle-c/roothawk | dreamfekk/andriod-autouedump-gui | division-36/z-jail | |
|---|---|---|---|
| Stars | 31 | 35 | 25 |
| Language | C | C | C |
| Setup difficulty | moderate | hard | moderate |
| Complexity | 4/5 | 5/5 | 3/5 |
| Audience | ops devops | researcher | ops devops |
Figures from each repo's GitHub metadata at analysis time.
Run only against authorized practice targets and lab VMs. Copy Fail modifies the su binary unless -backup is set.
RootHawk is a Linux command line tool that bundles a handful of well known local privilege escalation exploits into a single binary. The README is clear about the intended audience: people running authorized practice targets, virtual machines, and lab environments, where they have permission to test whether a system is patched against a given kernel or Polkit bug. The project is written in Go, even though GitHub tags the repo as C because the C language proof of concept files sit alongside the Go code. Each exploit is exposed as a module identified by its CVE number. The README lists CVE-2021-4034 (the Polkit bug commonly called PwnKit), CVE-2021-3560 (a Polkit D-Bus authentication bypass), CVE-2022-0847 (Dirty Pipe), CVE-2026-31431 (called Copy Fail, in the kernel's crypto and AF_ALG code paths), and CVE-2026-43284 (Dirty Frag, in the kernel's xfrm and ESP network packet handling). A results table in the README reports successful test runs on AnolisOS, openEuler, UOS, openKylin, Ubuntu, and CentOS 7. Usage is centered on a few flags. The -list flag prints the available modules. The -e flag runs a single CVE, for example ./RootHawk-amd64 -e CVE-2021-4034. The -any flag walks through every module in order. Two flags shape how Copy Fail behaves: -backup keeps a copy of the original su binary before the exploit modifies it, and -exec runs a chosen program after escalation rather than dropping into a su shell. A -v flag turns on verbose logging. Prebuilt binaries for amd64, arm64, and 386 ship in the bin folder, so a tester can mark one executable and run it directly inside a target VM.
Go command line tool that bundles known Linux local privilege escalation exploits like PwnKit and Dirty Pipe into one binary for authorized lab testing.
Mainly C. The stack also includes Go, C, Linux.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.