Software vulnerability is basically an incorrect or invalid handling of input parameters passed to a vulnerable program or simply software bug. A specially crafted input exploiting such vulnerability is called software vulnerability exploit or simply exploit.
If the software vulnerability is unknown to the others or undisclosed to the software manufacturer then the actual code that uses it often called a zero-day exploit or a zero day attack.
A common lifecycle of the zero day exploit is as follows:
- The software manufacturer releases product containing the vulnerability, usually an unknown one.
- The attacker finds the vulnerability before software developer does or before he was informed by the users.
- The attacker creates and distributes an exploit.
- The manufacturer finds the vulnerability and starting writing the fix.
Since the attackers wont announce, for an understandable reason, that they have found a vulnerability it might take several months to find out about the existence of such an exploit. In some cases it might take even years like in case with Microsoft IE
when it confirmed the existence of vulnerability in IE 7 which affected previous versions as well and due to this fact the zero day exploits are considered the most dangerous and undetectable.
Every exploit contains a part called a shell-code. An initial purpose of the shell-code is to start an operating shell program that provides a communication interface between user and operating system and to establish a connection with remote control server (for example attacker's computer) for further instructions. Once the shell-code is injected and the control of the compromised machine is gained, the malware or botnet agent will be downloaded and installed, the new station will be attacked or any other scenario may occur.
The following image shows the structure of exploit and shell-code.