The text segment which is also called the code segment, contains the application's static functionality is not randomized by ASLR. An exploit can jump anywhere into this region of memory reliably, which permits an attacker to build a chain of ROP gadgets. The most common goal of a ROP chain is to setup a stable environment to run shell code, but that is not the only use of ROP.
Additionally, pwn2own has come up with many other bypasses. I highly recommend reading the details papers that are published after every pwn2own. One of my favorite exploits uses a heap overflow to read ASLR'ed memory addresses.