Let's assume that a vulnerabled process is set up with an ASLR and DEP against all the imported modules used in this process and there is no way to find a module that is aslr free.. More over, the process is not used by JIT so JIT Spraying is out of scope as well as the heap is not used to cause a buffer overflow(it's a stack based buffer overflow).
How that scenerio could be defeated?
The text segment which is also called the code segment, contains the application's static functionality is not randomized by ASLR. An exploit can jump anywhere into this region of memory reliably, which permits an attacker to build a chain of ROP gadgets. The most common goal of a ROP chain is to setup a stable environment to run shell code, but that is not the only use of ROP.
Additionally, pwn2own has come up with many other bypasses. I highly recommend reading the details papers that are published after every pwn2own. One of my favorite exploits uses a heap overflow to read ASLR'ed memory addresses.
