Multi-architecture privilege escalation toolkit with 19 pre-built and runtime-compilable exploits. Supports amd64, arm64, 386, mips, mipsle, mips64, and mips64le. Detects kernel version, filters patched exploits, and tries each in order until root is obtained.
Quick Start
# run directly (no gcc needed on target if pre-compiled binaries are embedded)
./lpe-toolkit
# dry-run: show exploit plan without executing
./lpe-toolkit --dry-run
# skip specific exploits
./lpe-toolkit --skip "dirtyfrag,dirtypipe"
# execute a command once root is achieved and show its output
./lpe-toolkit -c "id"
# silent automation: suppress all output except the command result
./lpe-toolkit -q -c "whoami"
# verbose output (includes exploit stdout/stderr)
./lpe-toolkit -v
Usage
| Flag | Description |
|---|---|
--dry-run |
Show which exploits are available/skipped |
--just-build |
Resolve all exploits, print paths, exit (useful for packaging) |
--skip LIST |
Comma-separated exploit names to skip |
-c, --command CMD |
Execute CMD as root instead of spawning an interactive shell |
-q, --quiet |
Suppress toolkit messages; only show root shell output or unsuccessful in getting root |
-v, --verbose |
Include exploit stdout/stderr in output (mutually exclusive with -q) |
Note: -v and -q are mutually exclusive — the toolkit exits with an error if both are specified.
Exploits
| # | Name | Target | Type |
|---|---|---|---|
| 1 | Copy Fail CVE-2026-31431 |
AF_ALG + splice page-cache write | pre-built / compile |
| 2 | Dirty Frag CVE-2026-43284 |
xfrm-ESP/RxRPC page-cache write | pre-built / compile |
| 3 | Fragnesia CVE-2026-46300 |
espintcp splice page-cache corruption | pre-built / compile |
| 4 | DirtyDecrypt CVE-2026-31635 |
rxgk pagecache write | pre-built / compile |
| 5 | Fragnesia v2 | skb_segment GRO coalesce | pre-built / compile |
| 6 | PinTheft | RDS zerocopy + io_uring page-cache overwrite | pre-built / compile |
| 7 | Dirty Pipe CVE-2022-0847 |
/etc/passwd page-cache overwrite | pre-built / compile |
| 8 | CIFSwitch CVE-2026-46243 |
cifs.spnego + NSS namespace confusion | pre-built / compile |
| 9 | PwnKit CVE-2021-4034 |
pkexec environment escape | pre-built / compile |
| 10 | OverlayFS CVE-2021-3493 |
user-ns mount escape | pre-built / compile |
| 11 | OvFS+FUSE CVE-2023-0386 |
FUSE mount escape | pre-built / compile |
| 12 | Polkit D-Bus CVE-2021-3560 |
accounts-daemon race | pre-built / compile |
| 13 | Docker Socket | writable /var/run/docker.sock | pre-built / compile |
| 14 | netfilter OOB CVE-2021-22555 |
ip_tables corruption | pre-built / compile |
| 15 | nft UAF2 CVE-2022-2586 |
nftables chain UAF | pre-built / compile |
| 16 | pidfd race CVE-2026-46333 |
ssh-keysign/shadow FD theft | pre-built / compile |
| 17 | CPU Timer Race CVE-2025-38352 |
POSIX timer race (PoC) | pre-built / compile |
| 18 | nft UAF CVE-2024-1086 |
Notselwyn multi-file nftables | pre-built / compile |
| 19 | GTFOBins | 80+ passwordless sudo techniques | go-handler |
Build from Source
# native build (pre-compile C exploits then embed in Go binary)
make
# cross-compile for all architectures (native arch's C exploits only)
make build-all
# run directly from source (compile exploits on target at runtime)
make run-source
# clean build artifacts
make clean
Requirements: Go 1.21+, gcc, and cross-compilers for target architectures:
- arm64:
aarch64-linux-gnu-gcc - 386:
i686-linux-gnu-gcc - mips:
mips-linux-gnu-gcc - mipsle:
mipsel-linux-gnu-gcc - mips64:
mips64-linux-gnuabi64-gcc - mips64le:
mips64el-linux-gnuabi64-gcc
Pre-Compiled Binary Packaging
The --just-build flag resolves all usable exploits and prints their paths. Use it to verify what will be available at runtime.
The pre-compiled binary archive for each release includes a statically linked Go binary with embedded C exploits pre-compiled for all supported architectures (amd64, arm64, 386, mips, mipsle, mips64, mips64le).
Architecture
toolkit.go: Core exploit definitions, kernel version parsing, binary resolution, GTFOBins sudo abuse handler,execCommandAsRoot()for non-interactive command execution,msg()/say()verbosity helpersmain.go: CLI entry point with flags (-c,-q,-v,--skip,--dry-run,--just-build) and signal handlingbuild-exploits.sh: Cross-compilation script for C exploitsexploits/: C source files and pre-compiled binaries embedded via//go:embed
Notable Changes
- All exploits (including leak-only/PoC-only) now spawn a root shell or execute the requested command
- cve_2026_46333.c: Added
try_passwd_root()— steals writable/etc/shadowfd frompasswd, writes a known password hash, then spawnssu -; falls back to leak-only methods - cve_2025_38352.c: Added dirtypipe-style
splice()overwrite of/etc/passwd→root::0:0:→ spawnssu - - Command mode: Page-cache exploits use
--corrupt-onlyto skip the interactive PTY bridge;execCommandAsRoot()pipes the command tosustdin for reliable non-interactive execution
Comments