How do exploits and payloads work together?

Question

I knew about the Metasploit Framework for a few years, but I never really got into it. I have some knowledge when it comes to networks, but I am not a Pro. I've tested some things with Metasploit and I was curious about one thing. (please correct me if I'm wrong)

Let's say that Microsoft is releasing a new version of Internet Explorer. Somebody finds a vulnerability (buffer overflow), and with Metasploit (not only Metasploit, but yeah), I set the exploit, set the payload, set the parameters, type exploit, and I got a meterpreter shell.

Ok, Internet Explorer has a vulnerability, but how is the connection between the exploit and the payload made? From what I know a buffer overflow is just something that is crashing the application, but how does it go from crashing an application to a connection back to the hacker's computer?

Answer 1

The vulnerability is just the weakness in the software that allows an attacker to gain control. For example (since you mentioned buffer overflows), an unchecked buffer copy via strcpy, or using memcpy with an attacker-controlled length.

An exploit is the actual process of leveraging a vulnerability. For buffer overflows, this is the process of overwriting the saved EIP on the stack, or overwriting a function pointer, or any other process that actually gives you control of the application.

The payload is what you want to do with the exploit: it can run a command (such as a shell), open a network port and listen (a bindshell), connect back to you (a reverse shell), or generally anything else you might want to do. Often, if you're using Metasploit, you want to start Meterpreter, as Meterpreter is design to let you leverage it to do a variety of different tasks (screenshots, execute commands, exfiltrate data, etc.)

Answer 2

You seems to be confusing between what is a payload and what is an exploit.

• Exploit: Think about an exploit as a way to make use of a certain vulnerability. In the case of a buffer overflow for example an exploit is a program or a tool that will inject a payload into that vulnerable application to give you access.

Example: Metasploit's exploits library

• Payload: Now think about a Payload as bytes code \x12\x64\x23\xAB to be executed after the exploit is successful.

Example: A shellcode that spawns a shell: \xeb\x12\x31\xc9\x5e\x56\x5f\xb1\x15\x8a\x06\xfe\xc8\x88\x06\x46\xe2 \xf7\xff\xe7\xe8\xe9\xff\xff\xff\x32\xc1\x32\xca\x52\x69\x30\x74\x69 \x01\x69\x30\x63\x6a\x6f\x8a\xe4\xb1\x0c\xce\x81

Answer 3

The exploit uses a bug like a buffer overflow to make the target software execute your code, the payload.

Basically the target runs his own software, than the exploits comes along and gets executed, and finally the exploit runs your payload. Depending on the bug the size of your payload can be limited.

An exploit could crash the target software but it does not have to. This depends on the bug you are exploiting. Some exploits make the software continue as nothing happens.

Answer 4

Think of it like this:

Suppose a thief wants to rob any house which was locked by the residents and went away for some holidays, etc.

Now the thief sees a lock at the front door, and after an analysis found that the lock was vulnerable to a duplicate key.

Here note that the "duplicate key" is the exploit in Metasploit. Because when you do port scanning you found that the service is vulnerable to this exploit. So this is the same.

When the thief enters the house, he decides what to do, what should I steal?

Here note that the "things to do" is the payload in the Metasploit, it tells that after exploiting the system what to do. So, after exploiting the system through the use of the Exploit, we decided what to do next by specifying the payload.

So this is the way I understood How Exploit and Payload work together in Metasploit.