This Metasploit module exploits a use-after-free vulnerability in Microsoft Internet Explorer where a CParaElement node is released but a reference is still kept in CDoc. This memory is reused when a CDoc relayout is performed.
c34a481f2b8be1ac2f3b8a01e8ab562889bd7cdb4f5c7a2ba7fee1e09d0c1f5b