Professional Documents
Culture Documents
http://security.stackexchange.com/questions/344...
sign up
Information Security Stack Exchange is a question and answer site for Information security professionals. It's 100%
free, no registration required.
log in
tour
help
exploit
terminology
85
Akam
550 6
17
I feel like the difference could be explained with a very inappropriate (for StackExchange) sexual analogy.
IQAndreas Oct 5 '14 at 4:31
3 Answers
The exploit is what delivers the payload. Take a missile as an analogy. You have the rocket and
fuel and everything else in the rocket, and then you have the warhead that does the actual
damage. Without the warhead, the missile doesn't do very much when it hits. Additionally, a
warhead isn't much use if it goes off in your bunker without a rocket delivering it.
The delivery system(missile) is the exploit and the payload (warhead) is the code that actually
does something.
Exploits give you the ability to 'pop a shell/run your payload code'.
Example payloads are things like Trojans/RATs, keyloggers, reverse shells etc.
Payloads are only referred to when code execution is possible and not when using things like
denial of service exploits.
1 de 4
23/06/15 15:33
http://security.stackexchange.com/questions/344...
2 de 4
47
83
23/06/15 15:33
http://security.stackexchange.com/questions/344...
@D3C4FF don't forget that the vulnerability in your analogy/metaphor would be the inability of the target to detect
and shoot down the incoming missile. acolyte Apr 16 '13 at 13:21
69
136
I prepared an easier to read version of the diagram (I believe). It's following same basic
principles the @D3C4FF's excelent answer does. I was tempted to go with his analogy first, but I
thought it wouldn't be appropriate due to recent events and for the current global political climate.
The target (self-portrait of a crested black macaque ) is just cute, and the banana just what I
thought a convenient analogy for the occasion. Neither are meant to be offensive.
Obviously, a single exploit can deliver multiple payloads to a single or multiple targets. In latter
case, a crate of bananas with a single ape, or a crate of bananas in a zoo for multiple targets
could be used to describe individual entities involved in the process of exploitation (where the
crate would then be an exploit, and bananas in it payloads). ;)
3 de 4
23/06/15 15:33
http://security.stackexchange.com/questions/344...
While this example diagram might seem a bit odd, I actually believe it's suitable beyond just
being controversial (as current votes on this post show). Bananas, among other obvious uses,
have actually been suggested as a delivery mechanism for medicine before , where normal
vaccinations wouldn't be as effective.
The banana peel also denotes an exploit perfectly, since it's later discarded just as the exploit
would be, while the payload is consumed and digested by the target through a vulnerability (or in
our case, the cute macaque's mouth).
edited Apr 19 '13 at 7:52
4 de 4
this cleared up several points that have been confusing me for years, thanks. lynks Apr 16 '13 at 17:36
@lynks - Well, discarding of an exploit after the payload was consumed can be a slippery business (tho it can be
recycled) :) TildalWave Apr 17 '13 at 1:53
27
61
23/06/15 15:33