Today we have detected a server exploting the last ani vulnerability with the known “Heap Spraying” technique. The ani file exploits the vulnerability nevertheless there isn’t a shellcode inside it:
The html page has a javascript code to inject heap as much as possible until a valid memory become the return address to jump after the stack overflow, in this case 0x0B0B0B0B.
The reason to use this technique instead include the shellcode inside the ani file should be to avoid the stack execution protection feature. By this way the shellcode is executed in the heap not in the stack, bypassing this protection. You can see the injected heap in the following image and the shellcode: