Return-Oriented Programming: Exploits Without Code Injection

...We describe return-oriented programming, a generalization of return-into-libc that allows an attacker to undertake arbitrary, Turing-complete computation without injecting code.New computations are constructed by linking together code snippets that end with a “ret” instruction. The ret instructions allow an attacker who controls the stack to chain instruction sequences together. Because the executed code is stored in memory marked executable, W^X and DEP will not prevent it from running.
...

PDF