appsec - What is the dierence between Exploit a...

http://security.stackexchange.com/questions/344...

sign up

Information Security Stack Exchange is a question and answer site for Information security professionals. It's 100%
free, no registration required.

log in

tour

help

Take the 2-minute tour

What is the difference between Exploit and Payload?

In computer security, we know that weak points in software are called vulnerabilities (if related to security). And once the vulnerability is
found, theoretically it requires a piece of code as proof of concept (this is called an exploit). In this context, the term payload is also
mentioned.
Then, what is the difference between 'payload' and 'exploit'?
appsec

exploit

terminology

edited Apr 16 '13 at 17:38

AviD
36.1k
14

85

asked Apr 16 '13 at 8:25

155

Akam
550 6

17

I feel like the difference could be explained with a very inappropriate (for StackExchange) sexual analogy.
IQAndreas Oct 5 '14 at 4:31

3 Answers
The exploit is what delivers the payload. Take a missile as an analogy. You have the rocket and
fuel and everything else in the rocket, and then you have the warhead that does the actual
damage. Without the warhead, the missile doesn't do very much when it hits. Additionally, a
warhead isn't much use if it goes off in your bunker without a rocket delivering it.
The delivery system(missile) is the exploit and the payload (warhead) is the code that actually
does something.
Exploits give you the ability to 'pop a shell/run your payload code'.
Example payloads are things like Trojans/RATs, keyloggers, reverse shells etc.
Payloads are only referred to when code execution is possible and not when using things like
denial of service exploits.

1 de 4

23/06/15 15:33

appsec - What is the dierence between Exploit a...

edited Apr 19 '13 at 4:41

http://security.stackexchange.com/questions/344...

answered Apr 16 '13 at 8:27

NULLZ
7,294
8

2 de 4

47

83

23/06/15 15:33

appsec - What is the dierence between Exploit a...

http://security.stackexchange.com/questions/344...

best description ;-) Dr. Apr 16 '13 at 8:28

@Dr. updated it slightly just in case ;) NULLZ Apr 16 '13 at 8:32
@D3C4FF: thanks, I can imagine them now exactly :) Akam Apr 16 '13 at 8:33
@Akam please remember to mark it as answered if its answered your question :) NULLZ Apr 16 '13 at 8:50

@D3C4FF don't forget that the vulnerability in your analogy/metaphor would be the inability of the target to detect
and shoot down the incoming missile. acolyte Apr 16 '13 at 13:21

You already know what a vulnerability is.

An exploit is a piece of code written to take advantage of a particular vulnerability. A payload is a
piece of code to be executed through said exploit.
Have a look at the Metasploit Framework. It is simply a collection of exploits and payloads. Each
exploit can be attached with various payloads like reverse or bind shells, the meterpreter shell
etc.
The beauty of the Metasploit Framework is that it is modular. You can mix and match different
payloads and exploits to achieve the needed results.
answered Apr 16 '13 at 8:28
Terry Chia
27.7k
9

69

136

I prepared an easier to read version of the diagram (I believe). It's following same basic
principles the @D3C4FF's excelent answer does. I was tempted to go with his analogy first, but I
thought it wouldn't be appropriate due to recent events and for the current global political climate.
The target (self-portrait of a crested black macaque ) is just cute, and the banana just what I
thought a convenient analogy for the occasion. Neither are meant to be offensive.
Obviously, a single exploit can deliver multiple payloads to a single or multiple targets. In latter
case, a crate of bananas with a single ape, or a crate of bananas in a zoo for multiple targets
could be used to describe individual entities involved in the process of exploitation (where the
crate would then be an exploit, and bananas in it payloads). ;)

3 de 4

23/06/15 15:33

appsec - What is the dierence between Exploit a...

http://security.stackexchange.com/questions/344...

separate entities are colour coded ;)

While this example diagram might seem a bit odd, I actually believe it's suitable beyond just
being controversial (as current votes on this post show). Bananas, among other obvious uses,
have actually been suggested as a delivery mechanism for medicine before , where normal
vaccinations wouldn't be as effective.
The banana peel also denotes an exploit perfectly, since it's later discarded just as the exploit
would be, while the payload is consumed and digested by the target through a vulnerability (or in
our case, the cute macaque's mouth).
edited Apr 19 '13 at 7:52

answered Apr 16 '13 at 17:33

TildalWave
8,400
6

4 de 4

this cleared up several points that have been confusing me for years, thanks. lynks Apr 16 '13 at 17:36

@lynks - Well, discarding of an exploit after the payload was consumed can be a slippery business (tho it can be
recycled) :) TildalWave Apr 17 '13 at 1:53

27

61

23/06/15 15:33