This is a variant of the ``jump into libc'' attack, which has been used successfully on the SPARC architecture at least once (even though it's harder to achieve). Instead of overwriting the return address, overwrite a function pointer.
Of course, pointers to functions don't abound in ordinary C programs (or so it may seem). However, there are programs and libraries that use them. In addition, different platforms use various flavors of dispatch tables for e.g. dynamically loaded objects (shared libraries etc). If an attacker manages to corrupt part of these tables, he can inject arbitrary machine code as well.
In a C++ application or library, you frequently encounter objects with virtual functions. Commonly, virtual functions are also implemented as a table of function pointers, the so-called vtable. Altering this table, or replacing an object's pointer to its vtable allows injection of arbitrary code as well.