In electronic data processing, an exploit is a systematic way to exploit vulnerabilities that have arisen during the development of a program. In this process, program codes are used to exploit security vulnerabilities and malfunctions of programs (or entire systems), usually to gain access to resources or to penetrate or interfere with computer systems. A zero-day exploit is the exploitation of a vulnerability for which a patch from the manufacturer of the component is not yet available.
An exploit is often developed and documented just to reveal a security vulnerability. The aim is to enable software manufacturers to identify and close a security gap more quickly. Often, the mere description of an exploit is already referred to as an exploit.
Exploits take advantage of the fact that computers with von Neumann architecture, which are almost all home and office computers, do not distinguish between program code and user data. For example, in the case of a buffer overflow, the attacker’s code is written to an unintended memory area, which can manipulate the execution of the application. Another possibility is format string attacks, in which unfiltered user input is passed to formatting functions such as. An attacker can often execute their own code, which provides them with a shell with the privileges of the exploited application, for example. printf().
---
Classification of Exploit
Exploits are usually referred to as follows:
- Local Exploits
- Remote Exploits
- DoS Exploits
- Command Execution Exploits
- SQL Injection Exploits
- Zero-day exploits
Local exploits
Local exploits can be activated when opening seemingly harmless files (e.g. Office documents) if the application associated with the file type has a security vulnerability due to incorrect or improper processing of the file. In most cases, an exploit (for example, in a PDF document or as a macro in a Word or Excel file) first attempts to exploit vulnerabilities in the program used to read the file in order to gain a higher privilege level and thus load and execute malicious code into the operating system. The actual action that the exploit performs is called a payload. With many exploit frameworks (such as Metasploit), the payload can be configured separately. However, it can also be embedded in the exploit.
Remote exploits
An active form of exploit is attacks from the Internet using manipulated data packets or special data streams to vulnerabilities in network software. Such exploits are sometimes referred to as remote exploits.
Denial-of-service exploits
In most cases, the first exploits published for a known vulnerability are so-called DoS exploits, which overload the affected application, but do not involve the execution of third-party program code and privilege escalation.
Command-execution exploits
Command-execution exploits characterize the characteristic of an attacker-controllable execution of program code on the target system. In order to successfully execute such an exploit, the programmer must be aware of various peculiarities of the distribution of the target application’s memory. He obtains this knowledge through open sources of program code or through mere testing. He has to place his code cleverly in order to be able to execute it. Command-execution exploits are usually very dangerous, as the affected applications usually have significant privileges on the system and the attacker’s code is started with these privileges.
SQL injection exploits
SQL injection exploits are a special type of exploit and are mainly used for web applications that use a SQL database because they are very easily accessible over the Internet, but they can in principle pose a threat to any application that accesses a SQL database. In this case, requests are made in a layered architecture in such a way that the erroneous or improper presentation layer returns or writes data that it should not make available for read or write access. For example, entries in a login form can be designed in such a way that the affected application still successfully logs in an invalid user, or data fields from the database can be output in a targeted manner, e.g. to output the passwords or e-mail addresses of all registered users. If user input in program interfaces is not sufficiently checked for validity (e.g., that they do not contain SQL commands or parts of them) and is filtered, a SQL injection gap can occur.
Zero-day exploit
A zero-day exploit is an exploit that is used before there is a patch as a countermeasure. As a result, developers do not have time (“zero days”) to improve the software in such a way that the exploit becomes ineffective in protecting users. If a person discovers a security vulnerability and does not report it to the software manufacturer, but develops an exploit to exploit it, the vulnerability of the software often only becomes known long after the initial attack. Hackers like to keep zero-day exploits secret in order to exploit them for a long time. Outside the public eye, zero-day exploits are traded among hackers or manufacturers are offered large sums of money.
As a preventive measure, experts try to detect security vulnerabilities in advance and point them out to software manufacturers. This is sometimes criticized in professional circles, as the testers sometimes violate laws or manufacturer guidelines.
