OK, so the exploit code is hidden in the picture ... you can end up with a valid image (JPG or PNG) file that will nonetheless be interpreted as HTML by a browser. The simplest way to do this ...