Just elaborating on this. One way of looking at it is that we turn the attacked program into an interpreter thus bypassing the requirement for executability.

It turns out that a lot of programs can be tricked into interpreting a family of languages called rop chains.