Rating: 5.0
Start at `0x550000000000` and start mapping a MAP_FIXED_NOREPLACE | MAP_NORESERVE memory of size `0xf0000000`. Map until it fails which means that you, congrats, found the emulator image.
Now, immediately after the failed map, map some memory and put your payload there.
Now, map the memory with MAP_FIXED | MAP_NORESERVE where the emulator image is.
This will zero-out the memory and it would normally lead to a crash when the kernel returns.
However, because RAX will contain the start address of the now-mapped memory and because 00 00 ... decodes to `add byte ptr [rax], al`, this will essentially create a nop sled. The sled will go directly to your shell payload :)