The Stage 2 payload, executing as position independent machine code fragments within the vulnerable process' address space, is free of the code space constraints of the Stage 1 payload, but there may still be other execution environment constraints. For example, the exploit may have corrupted the heap metadata and subsequent heap operations may cause the process to crash. In these cases, the Stage 2 payload have to repair the heap before attempting to execute more complex operations that require explicit or implicit heap allocation. Under Windows XP and later Windows operating systems, the default heap can be quickly switched to the low-fragmentation heap using HeapSetInformation(), thus abandoning the use of a potentially corrupted standard default heap.
In order to fully escape execution and implementation constraints, the Stage 2 payload proceeds to download and execute a binary executable from the payload server. In the current design, this executable is a specially-built interpreter for the Lua programming language, described in the next section.
