How is shellcode (the payload) added to an executable file? Assume it is close source.
How does the hacker then get the address of where it is? They need this for when they overwrite the return address...
After the above is clarified, an example of how ASLR helps to prevent this would be appreciated.
This question is for native code.
I recommend reading Smashing The Stack For Fun And Profit by Aleph One, which includes some examples of how it is done.
How does the hacker then get the address of where it is?
By using a debugger and disassembly of the program, examining assembly instructions. One of the particular things of interest, as in the referenced article, is Stack Pointer:
The CPU has special instructions for pushing values onto the stack and popping them back from the stack. Each push stores the value at the current location of the stack pointer and decreases the stack pointer. A pop retrieves the value pointed to by the stack pointer and then increases the stack pointer (don't be confused by the fact that adding a value to the stack decreases the stack pointer and removing a value increases it.
If layout randomization is not enabled, stack pointer is predictable, which means hacker can know how to overflow buffers or where to inject shellcode. In fact, to answer the ASLR part of the question, an example of how can that be useful can be seen in How to find stack pointer for overflow bug?
How is shellcode (the payload) added to an executable file?
From untrusted input. One example of that is via command-line parameters. It can be combined with other exploits.
Assuming ASLR is disabled, an attacker could just open a disassembler and look for the address where the shellcode has been stored. This can be easily done by setting a breakpoint just after the user input and then printing the stack in order to find your payload.
In gdb you can run: x/100xg $rsp or in 32 bit: x/100xw $esp.
If you are having problems with finding your payload in all that garbage, you can try sending some A's first and searching for it's hex value (0x41).
If ASLR is enabled it will add a considerable layer of protection by randomizing the base address of every memory region (except the code segment) including the stack, and so, you will not be able to jump to the address in which your payload it's stored.
ASLR doesn't make a program unexploitable though, you can still leak the stack base address and calculate the offset to your payload, or even leak libc base address and perform a ROP.
