In security testing, studying and deploying exploits seems to be the most fun. Exploits provoke the most thought and reaction amongst learners, as well. So, what exactly is an exploit? Let’s take a peek under the hood.
They run the gamut in terms of how they work and what they do. The possibilities are nearly endless. However, like most any topic, we can break the subject down into understandable components. We’ll begin with a basic definition. According to the sages of quick and easy information, Wikipedia, an exploit is
a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behaviour to occur.
Here, we see the two essential elements of an exploit: Leveraging a vulnerability, and causing unwanted behavior. They are two different things. Exploits consist of these two discernible elements:
Consider a bad guy who wants to get rich by burglarizing a bank in some furtive manner. He’ll need two things. First, he needs to get into the bank vault. His method must be novel or be unanticipated. If it is not, the bank’s defenses will prevent or detect his activity. He’ll also need a way to make off with the loot.
The vector is that part of an exploit that gains access. It’s like tunneling into the bank and its vault. (OK. This isn’t a really good bank.) A vector is a fairly well-established term. You can see many of them listed in CVE, Common Vulnerabilities and Exposures. CVE publishes known vulnerabilities. We could also say that CVE publishes vectors. In CVE, the responsible vendor is aware of the issue (and hopefully has some remediation) and now you are, too. The theory is that if you know about and remediate vulnerabilities, you can ward off attacks by denying access to your assets. It doesn’t always work out that way.
Zero-Day Means Zero Warning
Some vulnerabilities are discovered by good guys, who do the responsible thing and report the flaw to the software publisher or another responsible party. But, bad guys also find new vulnerabilities. They love new vulnerabilities: no one is expecting the new way of gaining access. The designation zero-day is given to exploits that have no warning or remediation. Zero-day means zero warning. To be rather specific, a zero-day is an exploit leveraging a previously unknown vector to gain access. They stand a very high chance of success, as there is no known defense or detection.
What about the other component of an exploit, the payload? Payloads are the tools or techniques that actually do the damage. A vector does not steal credit card information; it just makes it available to the attacker. In our bank analogy, the burglar might have gotten into the bank vault via a tunnel using an excavator and a shovel. But, now he needs to make off with the cash. A crow bar to open the safe deposit boxes and a bag to carry the loot off are just what he needs. Stealing is the payload.
A payload is the malicious code or technique that steals, modifies or destroys. Examples of payloads would be:
If you could look at the code behind a technical exploit, you’d always find the two elements discussed above: vector and payload. The vector gains access or bypasses controls. The payload is then unleashed to complete the illicit mission. Knowing these two distinct elements exist is good. There are two things that can be detected.
In a previous blog, we discussed antivirus detection. We tested detection several times and got some positive results. But what was detected, the vector or the payload? Examine the scan results below. This is an excerpt from a scan of a known Java-based exploit. It shows just the results from Sophos and McAfee.
Notice the McAfee result showed a reference to CVE-2012-0507 . They detected the vector. Sophos shows a reference to a malware based on Java. If you research the Sophos details, they only indicate it is a virus or spyware, both being payloads. Nothing is written about the vector. So, you may find your AV vendor likes to detect vectors. Another goes after payloads.
Which is better for protecting you from exploits? Probably payload detection. Maybe. It would be nice if both were consistently detected. Besides antivirus, there are other defensive tools. There are also Host Intrusion Detection and Host Intrusion Prevention. Classically, these tools attempt to discover payloads. There are a few exceptions. HIDS and HIPS often attempt to discover unwanted or dangerous actions on a machine. Sounds a lot like payload. Ultimately, it is the payload that does the damage.
If this analysis is of interest to you, there is a Learning Tree course on penetration testing that closely examines and deploys exploits.