Description: Timeline :
Vulnerability discovered by Sean de Regge and submitted to ZDI
Vulnerability reported to vendor by ZDI the 2011-04-01
Coordinated public release of the vulnerability the 2011-08-16
Metasploit PoC provided the 2011-09-16
PoC provided by:
Sean de Regge
juan vazquez
Reference(s) :
CVE-2011-2950
ZDI-11-265
OSVDB-74549
Affected versions :
RealPlayer 11.0 -- 11.1
RealPlayer SP 1.0 -- 1.1.5
RealPlayer 14.0.0 -- 14.0.5
Tested on Windows XP Pro SP3 with :
Internet Explorer 7.0.5730.13
Apple RealPlayer 14.0.2.633
Description :
This module exploits a heap overflow in Realplayer when handling a .QCP file. The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is allocated on the heap and user-supplied data from the file is copied within a memory copy loop. This allows a remote attacker to execute arbitrary code running in the context of the web browser via a .QCP file with a specially crafted "fmt" chunk. At this moment this module exploits the flaw on Windows XP IE6, IE7.
Metasploit demo :
use exploit/windows/browser/realplayer_qcp
set SRVHOST 192.168.178.21
exploit
getuid
sysinfo
Tags: realplayer ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.