Format string vulnerabilities can aid in exploitation of systems protected by ASLR, but not NX. The reason why is because some format string vulnerabilities allow the attacker to read the function's stack frame, that contains the format string vulnerability. This allows the attacker to figure out the addresses of variables local to that function by reading the stack frame. ASLR randomizes the memory page's base address at the start of the application. So on a 32 bit system the address looks like 0xYYYYZZZZ. In this case the Y's will be randomized, but the Z's are an offset that is more predictable. (Ideally) If the attacker can read the randomized base addresses of the same function that he is exploiting with a buffer overflow then the attacker can be 100% confident of the address of where his shell code will be. If its not in the same function, then attacker is less confident of the address of his shell code, but it can still aid in exploitation. After determining the address of where the shellcode will be the next step is to corrupt the stack frame with a buffer overflow and point the EIP at this known memory location. Which to be honest is really far fetched and not many exploits use this technique. This technique is covered in great detail in "Exploiting software how to break code" and in "Hacking: The Art of Exploitation".
There are other ways of reading memory addresses. In the pwn2own for IE in 2010 a researcher used a heap overflow to overwrite the null terminator and read adjacent memory, he then obtained code execution with a dangling pointer. Dangling pointer vulnerabilities are really nice for systems protected by ASLR and they are becoming more popular for this reason.
If you look at most of the exploits hitting Metasploit and the exploit forms. You'll see that Return Oriented Programming(ROP chains) is the weapon of choice for exploiting buffer overflows on modern systems.
