Note this requires attacker to control target process, which means this bypass does not add any new security vulnerabilities nor it gives the process any permissions it did not have before. All this does is it makes attacker's life easier - after successful RCE, instead of manually placing code in memory and jumping to it, they can ship the code as ELF file and execute it.
Theamk, besides what you mentioned there others points:
1) You keep the target process with the same name. Execve change the process name, but this one do not so help you being stealth.
2) You can load the next stage in a noexec (RW-only) partition and use this to load in memory.
3) Since a lot embedded devices contains selinux this is also good to bypass the execmem verification.
bediger4000, I believe they are similar techniques. The difference is the ways to achieve
[+] [-] theamk|1 year ago|reply
[+] [-] RajuC|1 year ago|reply
bediger4000, I believe they are similar techniques. The difference is the ways to achieve
[+] [-] bediger4000|1 year ago|reply
Or are Windows processes so different from Linux processes there's no real comparison?