I have been reading this article about an Internet Explorer exploit and I am a little confused about why the memory addresses effected by the heap-spray "work".
The paper states that the attack uses a heap-spray to spray ~320MB worth of 0x12121212's. This address was chosen because the attack has control over the memory in and around 0x12121212. In fact, at memory address 0x12121212 is where the ROP chain is placed.
I am confused why this works with ASLR enabled, wouldn't the memory addresses be randomized every time?
How is it that 0x12121212 can be used reliably?