gitmyhub

RootHawk

C ★ 99 updated 10d ago

Linux提权

Go command line tool that bundles known Linux local privilege escalation exploits like PwnKit and Dirty Pipe into one binary for authorized lab testing.

GoCLinuxsetup: moderatecomplexity 4/5

RootHawk is a Linux command line tool that bundles a handful of well known local privilege escalation exploits into a single binary. The README is clear about the intended audience: people running authorized practice targets, virtual machines, and lab environments, where they have permission to test whether a system is patched against a given kernel or Polkit bug. The project is written in Go, even though GitHub tags the repo as C because the C language proof of concept files sit alongside the Go code.

Each exploit is exposed as a module identified by its CVE number. The README lists CVE-2021-4034 (the Polkit bug commonly called PwnKit), CVE-2021-3560 (a Polkit D-Bus authentication bypass), CVE-2022-0847 (Dirty Pipe), CVE-2026-31431 (called Copy Fail, in the kernel's crypto and AF_ALG code paths), and CVE-2026-43284 (Dirty Frag, in the kernel's xfrm and ESP network packet handling). A results table in the README reports successful test runs on AnolisOS, openEuler, UOS, openKylin, Ubuntu, and CentOS 7.

Usage is centered on a few flags. The -list flag prints the available modules. The -e flag runs a single CVE, for example ./RootHawk-amd64 -e CVE-2021-4034. The -any flag walks through every module in order. Two flags shape how Copy Fail behaves: -backup keeps a copy of the original su binary before the exploit modifies it, and -exec runs a chosen program after escalation rather than dropping into a su shell. A -v flag turns on verbose logging.

Prebuilt binaries for amd64, arm64, and 386 ship in the bin folder, so a tester can mark one executable and run it directly inside a target VM.

Where it fits