Luigi Auriemma

Hey,

i just tried the va() DoS exploit exploit in CoD4 in order to test my server on its vulnerability. Since ive got no clue about such things i just did whats written in the advisory.

I moved the cod4va file into my main folder, joined the server and used exec.

Then i received a message which said "unknown cmd aaaaaaaaa..." and nothing happens.
Am i doing something wrong or does this mean my server is secure?

Ive also read something about a way which works without joining the server but actually ive got no idea how this " yyyygetchallenge 0 aaaaaaaaaaaaaaaaaaaaaaa...1025...aaa" stuff works. :/

Thanks,

if you server doesn't crash after having executed cod4va.cfg I can say it's not vulnerable or it can't be exploited in that way.
if you have not fixed it with unofficial patches like those written by me and you use punkbuster then this is the reason, because pb filtered the bad packet from the client.

while for the getchallenge thing it works only with internet non-cracked servers.
it should be testable with udpsz (http://aluigi.org/testz.htm#udpsz) using the following command:
udpsz -c "\xff\xff\xff\xffgetchallenge 0 " -b a SERVER PORT 2000