To start with, a vulnerability is a weakness in the target system which creates a security risk - that it can be exploited.
An exploit is a way, a piece of code that can trigger & take advantage of a vulnerability.
A payload is the actual component in the attack which 'do' things for an attacker.
Therefore, a payload must have at least 2 components in it:
1. Communications capability - set up communication channel for the attacker
2. Functionality - defines what all actions an attacker can perform
Metasploit provides 2 types of payloads:
1. Single / Stand-alone / Self-contained
2. Staged [Stager + Stage]
Stager = communication module
Stage = functionality
A full payload = Stager + Stage
Self-contained payloads have both Stager & Stage already bundled together. These payloads include all functionality to load itself into the memory, set up communication channel for the attacker, and lastly provide attacker with the environment & command capability to interact with the compromised system.
A few examples of single / self-contained payloads are:
exec -> runs a command
adduser -> creates a new local user and add it to local administrator group
shell_bind_tcp / shell_reverse_tcp -> sets up a standard TCP bind / reverse listener
In contrast to self-contained payloads, Staged payloads function in a slightly different manner.
A Staged payload constitutes of a Stager and a Stage. These 2 components are NOT bundled together. An attacker can specify a stager and a stage independently.
When a vulnerability is exploited successfully, the Stager component goes first as payload. The stager is responsible for uploading the Stage next, and to set up communications channel for the stage so that attacker can interact with it.
Let's look for Stagers and Stages in the Metasploit directories..
ls /opt/msfo/msf3/modules/payloads/stagers/java/bind_tcp.rb reverse_http.rb reverse_tcp.rb
ls -R /opt/msfo/msf3/modules/payloads/stagers/linux/
bind_ipv6_tcp.rb bind_tcp.rb find_tag.rb reverse_ipv6_tcp.rb reverse_tcp.rb
ls -R /opt/msfo/msf3/modules/payloads/stagers/windows/
/opt/msfo/msf3/modules/payloads/stagers/windows/:bind_ipv6_tcp.rb reverse_http.rb reverse_ord_tcp.rb x64bind_nonx_tcp.rb reverse_https.rb reverse_tcp_allports.rbbind_tcp.rb reverse_ipv6_tcp.rb reverse_tcp_dns.rbfindtag_ord.rb reverse_nonx_tcp.rb reverse_tcp.rb
-> Notice that all these are setting up a communications channel.
Now looking for Stages:
bsd bsdi java linux netware osx php windows
ls /opt/msfo/msf3/modules/payloads/stages/java/meterpreter.rb shell.rb
ls -R /opt/msfo/msf3/modules/payloads/stages/osx//opt/msfo/msf3/modules/payloads/stages/osx/:armle ppc x86
bundleinject.rb isight.rb vforkshell.rb
ls -R /opt/msfo/msf3/modules/payloads/stages/windows/
dllinject.rb patchupdllinject.rb shell.rb vncinject.rbmeterpreter.rb patchupmeterpreter.rb upexec.rb x64
meterpreter.rb shell.rb vncinject.rb
-> All these modules provide functionality & interactive environments.