This commentary is based on the work published and performed by "Kingcope". The original text and PoCs are located here: http://kingcope.wordpress.com/2013/01/24/attacking-the-windows-78-address-space-randomization/
The inclusion of memory protections in Windows 7 (and now Windows 8) was touted as a means to defeat exploitation attempts by:
1) Preventing code execution on the stack [DEP]
2) Randomizing the memory offsets of Programs (and associated DLLs) [ASLR].
While bypassing DEP has been relatively well documented by multiple sources in numerous locations [see: ROP Chains], ASLR has proven a tougher nut to crack. Randomization of the memory space forces an exploit writer to try and predict where in memory to point an instruction pointer that he or she has gained control over. The goal being, of course, to point to an area of memory which contains the writer's arbitrary code.
Current methods for "beating" ASLR include: utilizing browser memory leak bugs or relying on older DLLs that do not have their image bases randomized. Unfortunately, knowledge of a particular memory leak or reliance on outdated third party software are niche* scenarios culminating in the creation of an idyllic attack surface.
That's where Kingcope's research comes in!
Now that the selected DLL (The Windows Media Player DLLs, to continue the example) are loaded into a predictable address, execution of shellcode is only an ROP chain away! I won't spoil the rest of the example Kingcope provided [Hint: LoadLibrary API], but suffice to say it is relatively simple to construct an ROP chain by which to execute arbitrary code following a heap spray.
Click the link to view a quick graphic summary.
*Perhaps not so much in the case of Java.