import ctypes
import mmap
from base64 import b64decode
sc = b64decode("SMfHqsvt/+gCAAAA61BIjQVRAAAASIniSP/MxgQkCkiF/3khSP/MxgQkLUj33+sVSIn+g+YPD7Y0MEj/zECINCRIwf8ESIX/dea4AQAAAEj/x0iJ5kgp4g8FSAHUw0iLBCUAAAAAMDEyMzQ1Njc4OWFiY2RlZgA=")
sc_map = mmap.mmap(-1, 0x2000, mmap.MAP_PRIVATE | mmap.MAP_ANONYMOUS, mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC)
sc_map.write(sc)
addr = ctypes.addressof(ctypes.c_void_p.from_buffer(sc_map))
ftype = ctypes.CFUNCTYPE(ctypes.c_void_p)
func = ftype(addr)
func()
mmap也可以用ctypes加载的libc中的mmap替换
import ctypes
from base64 import b64decode
LIBC_PATH = "/usr/lib/x86_64-linux-gnu/libc.so.6"
sc = b64decode("SMfHqsvt/+gCAAAA61BIjQVRAAAASIniSP/MxgQkCkiF/3khSP/MxgQkLUj33+sVSIn+g+YPD7Y0MEj/zECINCRIwf8ESIX/dea4AQAAAEj/x0iJ5kgp4g8FSAHUw0iLBCUAAAAAMDEyMzQ1Njc4OWFiY2RlZgA=")
libc = ctypes.cdll.LoadLibrary(LIBC_PATH)
libc.mmap.restype = ctypes.c_void_p
libc.mmap.argtypes = ctypes.c_void_p, ctypes.c_size_t, ctypes.c_int, ctypes.c_int, ctypes.c_int, ctypes.c_size_t
addr = libc.mmap(ctypes.c_void_p(0), 0x2000, 7, 0x22, -1, 0)
ctypes.memmove(addr, ctypes.byref(ctypes.create_string_buffer(sc)), len(sc))
ftype = ctypes.CFUNCTYPE(ctypes.c_void_p)
func = ftype(addr)
func()