How is it possible to put the malicious code in the correct memory spaces? Unless the attacker had a full image of the memory, I don't see how this can be accomplished.

The second bit of the exploit chain, CVE-2016-4655, leads to disclosure of kernel memory addresses. Once a single memory address is known, you can calculate the random offset of the kernel, and then exploit the third part to overwrite the return address and return into specific chunks of kernel code ("Return Oriented Programming"), whose addresses you computed from the offset + a fixed code location. These can let you e.g. install your payload.