[airza]

Usually you set these up by aggressively spraying the heap by allocating objects so that copies of the code you're trying to execute are thousands or more of places that are also aligned to the page boundary. The heap doesn't do things that are that random (depending on how new the browser is, obviously) so the intention is to make it so your free'd object is replaced with an evil one that has a malicious virtual memory table and will jump somewhere in that heap (to a specific address which will work if you sprayed the heap correctly, and sometimes to one which is calculated with ASLR.)

If you get to an attacker controlled website, it shouldn't be that hard to pull off most of the time, though definitely not deterministic.

(Man, remind me to check that this isn't all horribly wrong after defcon...)