Its actually pretty neat, you can potentially cause a SIGTERM to be sent to a remote process on Linux if you can cause it to consume large amounts of memory, which in turn can potentially cause a signal handler to be invoked, which can potentially happen at awkward and inopportune moments, or specifically what I'm trying to accomplish in something that I'm working on is that it has a function they call to deinitialize the entire process and deallocates globally-scoped memory. Specifically it does things like tear down database connections and destroys their opaque datatypes, and other similar things along with actual calls to free().
So, the Linux OOM killer calls a function named badness() (no joke) that determines every processes likelyhood of resource abuse to reclaim memory for the system, its a pretty extreme goodbye, but the OS does this when absolutely necessary to reclaim memory. The badness is calculated by various factors, including its capability set (specifically CAP_SYS_ADMIN and CAP_SYS_RAWIO), how long the process has been running, how many children it has and of course how much memory its consuming. Finally it takes a user-tunable number, and left shifts the badness number that many times. Supposedly a value of -17 in this /proc file can causes the OOM killer to not consider that process if its a process leader. Furthermore, processes that are in the process of free()'ing memory are not candidates.
So now the stage is set, I have a signal handler that calls a function that is seriously not-reentrant, but I can't reach it via traditionally applicable signals (signals that can be sent remotely), i.e. SIGPIPE, SIGURG, et cetera. It can be reached via things like SIGHUP, SIGTERM, SIGINT.
I can however cause a SIGTERM to be sent indirectly.
All I need is a memory leak, the more of them the better, I need as much precision that I can get on triggering this, if I can get it to trigger at the same time this process is already calling that exit function and I can use one of the pieces of code that more or less acts as a destructor to use a dangling pointer and write 4 bytes to say the actual destructors, when the process calls libc's exit() I may be able to cause it to call an atexit function, which I hopefully control and if all of these conditions are met, I land at a root shell.