I don't know enough about how OSX/BSD permissions work. I would think it's as simple as Windows - you can download and execute any .exe or .msi or whatever.
If the exploit gives them root it can do whatever. If the permissions allow the program to manipulate files that it owns' permissions it can change the payload how it likes. It could mmap() or virtualalloc() it and get it to execute that way.
Not really sure how it did it or how the best way to go about doing it would be.