An exploit is the means by which an attacker, or penetration tester for that matter, takes advantage of a vulnerability within a system, an application, or a service. An attacker uses an exploit to attack a system in a way that results in a particular desired outcome that the developer never expected. Common exploits include buffer overflows, web application vulnerabilities (such as SQL injection), and configuration errors.
A payload is a custom code that attacker want the system to execute and that is to be selected and delivered by the Framework. For example, a reverse shell is a payload that creates a connection from the target machine back to the attacker as a Windows command prompt, whereas a bind shell is a payload that “binds” a command prompt to a listening port on the target machine, which the attacker can then connect. A payload could also be something as simple as a few commands to be executed on the target operating system.
Shellcode is basically a list of carefully crafted commands that can be executed once the code is injected into a running application. It’s a series of instructions used as a payload when exploiting a vulnerability. Shellcode is typically written in assembly language. In most cases, a command shell or a Meterpreter shell will be provided after the set of instructions have been performed by the target machine, hence the name.