The shellcode does not have to be in the stack. It could be at any known location, called from the stack smash.
I sent links in the IRC channel that show how to embed shellcode inside a web page image so that it is not visible to the casual observer. The example images show a comparison with and without embedded shellcode. In one shellcode image, the guy has a "dirty arm". The monkey images with embedded NOP Sled are impressive. Here is the link:
http://www.blackhat.com/presentation...-06-Sutton.pdf
*If* you can get a webpage to store its images into a known location (e.g. onscreen framebuffer RAM for visible web page), you could jump to shell code inside the image. I have wikipedia moderator rights and I can load image(s) to wikipedia without *other* moderator approval [but I have yet to try this]...
ASLR exploits:
http://www.ece.cmu.edu/~dbrumley/cou.../docs/aslr.pdf