What is the difference between Exploit and Payload?

The exploit is what delivers the payload. Take a missile as an analogy. You have the rocket and fuel and everything else in the rocket, and then you have the warhead that does the actual damage. Without the warhead, the missile doesn't do very much when it hits. Additionally, a warhead isn't much use if it goes off in your bunker without a rocket delivering it.

The delivery system(missile) is the exploit and the payload (warhead) is the code that actually does something.

Exploits give you the ability to 'pop a shell/run your payload code'.

Example payloads are things like Trojans/RATs, keyloggers, reverse shells etc.

Payloads are only referred to when code execution is possible and not when using things like denial of service exploits.

Flow chart Bunker Buster exploitz


You already know what a vulnerability is.

An exploit is a piece of code written to take advantage of a particular vulnerability. A payload is a piece of code to be executed through said exploit.

Have a look at the Metasploit Framework. It is simply a collection of exploits and payloads. Each exploit can be attached with various payloads like reverse or bind shells, the meterpreter shell etc.

The beauty of the Metasploit Framework is that it is modular. You can mix and match different payloads and exploits to achieve the needed results.


I prepared an easier to read version of the diagram (I believe). It's following same basic principles the @D3C4FF's excellent answer does. I was tempted to go with his analogy first, but I thought it wouldn't be appropriate due to recent events and for the current global political climate.

The target (self-portrait of a crested black macaque) is just cute, and the banana just what I thought a convenient analogy for the occasion. Neither are meant to be offensive.

Obviously, a single exploit can deliver multiple payloads to a single or multiple targets. In latter case, a crate of bananas with a single ape, or a crate of bananas in a zoo for multiple targets could be used to describe individual entities involved in the process of exploitation (where the crate would then be an exploit, and bananas in it payloads). ;)

Exploit -> Payload -> Vulnerability -> Target

separate entities are colour coded ;)

While this example diagram might seem a bit odd, I actually believe it's suitable beyond just being controversial (as current votes on this post show). Bananas, among other obvious uses, have actually been suggested as a delivery mechanism for medicine before, where normal vaccinations wouldn't be as effective.

The banana peel also denotes an exploit perfectly, since it's later discarded just as the exploit would be, while the payload is consumed and digested by the target through a vulnerability (or in our case, the cute macaque's mouth).

Tags:

Terminology

Exploit

Appsec

Recent Posts