Today we have detected a server exploting the last ani vulnerability with the known “Heap Spraying” technique. The ani file exploits the vulnerability nevertheless there isn’t a shellcode inside it:
The html page has a javascript code to inject heap as much as possible until a valid memory become the return address to jump after the stack overflow, in this case 0x0B0B0B0B.
The reason to use this technique instead include the shellcode inside the ani file should be to avoid the stack execution protection feature. By this way the shellcode is executed in the heap not in the stack, bypassing this protection. You can see the injected heap in the following image and the shellcode:
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
