What is an exploit?
From Wikipedia: “An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch, or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized).”
There are typically three stages involved in a typical vulnerability exploit attack:
- The exploit triggers a vulnerability through which the attacker is able to run shellcode to bypass the Operating System built-in protections such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
- The exploit shellcode then runs some special instructions called payload.
- The payload in turn executes a malicious action. Examples of malicious actions can be "download this EXE from the Internet and execute it" or other more advanced types of actions such as opening a reverse shell to the attacker without any EXE files involved. There have been some very stealth malicious actions in the past such as in the example of the FBI exploit of the Tor Browser Bundle in 2013 where the payload simply executed a call-back packet to the FBI's servers which included the exploited PC's Mac address, the Windows hostname and some other basic personally identifiable information.
Traditional antivirus and endpoint security solutions deal mostly with the payload's malicious action when there is an EXE involved. But the protection from exploits offered by traditional solutions starts taking a dive when the payload is something more advanced and/or in earlier stages of the exploit attack.