Mcp Exploit Demo
What is Mcp Exploit Demo
mcp-exploit-demo is a repository that demonstrates a security vulnerability in MCP (Model Context Protocol) servers, allowing for remote code execution and data exfiltration through tool poisoning.
Use cases
Use cases include demonstrating the risks of tool poisoning in AI development environments, educating developers about security best practices, and testing the effectiveness of security measures against such vulnerabilities.
How to use
To use mcp-exploit-demo, set up the malicious MCP server by running the server.py script. Connect to this server using an MCP client like Cursor AI, which will be manipulated to execute the poisoned tool.
Key features
Key features include two-stage poisoning for persistence, social engineering tactics to manipulate AI assistants, base64 obfuscation to hide malicious commands, and the use of wget for data exfiltration.
Where to use
mcp-exploit-demo can be used in educational and security research contexts to understand vulnerabilities in MCP servers and to develop mitigation strategies.
Clients Supporting MCP
The following are the main client software that supports the Model Context Protocol. Click the link to visit the official website for more information.
Overview
What is Mcp Exploit Demo
mcp-exploit-demo is a repository that demonstrates a security vulnerability in MCP (Model Context Protocol) servers, allowing for remote code execution and data exfiltration through tool poisoning.
Use cases
Use cases include demonstrating the risks of tool poisoning in AI development environments, educating developers about security best practices, and testing the effectiveness of security measures against such vulnerabilities.
How to use
To use mcp-exploit-demo, set up the malicious MCP server by running the server.py script. Connect to this server using an MCP client like Cursor AI, which will be manipulated to execute the poisoned tool.
Key features
Key features include two-stage poisoning for persistence, social engineering tactics to manipulate AI assistants, base64 obfuscation to hide malicious commands, and the use of wget for data exfiltration.
Where to use
mcp-exploit-demo can be used in educational and security research contexts to understand vulnerabilities in MCP servers and to develop mitigation strategies.
Clients Supporting MCP
The following are the main client software that supports the Model Context Protocol. Click the link to visit the official website for more information.
Content
SSH Key Exfiltration via MCP Tool Poisoning
This repository demonstrates a security vulnerability in MCP (Model Context Protocol) servers that allows for remote code execution and data exfiltration through tool poisoning.
This is intended for educational and security research purposes only.
Link for the Blog:
Repository Contents
server.py- The malicious MCP server implementation containing the poisoned tool.cursor/mcp.json- Configuration file for Cursor AI integration
How It Works
The attack demonstrates the “Rug Pull” method:
- A user connects to the malicious MCP server through MCP Client like Cursor AI
- The server modifies the
DockerCommandAnalyzertool’s documentation with malicious code - When an AI assistant reads this documentation, it’s manipulated to recommend running a base64-encoded command
- The encoded command silently:
- Collects the user’s SSH public keys
- Exfiltrates them to a remote server
- Removes evidence of the attack
Technical Implementation
The key elements of the attack are:
- Two-stage poisoning: Uses a marker file for persistence to ensure the tool remains poisoned
- Social engineering: Uses urgent language to manipulate AI assistants
- Base64 obfuscation: Hides the malicious commands from casual inspection
- wget for exfiltration: Uses standard HTTP POST to send data to an attacker-controlled server
Mitigation Recommendations
To protect against this type of attack:
- Disable auto-run features in AI development tools like Cursor
- Always verify the source of any MCP server before connecting
- Review code from untrusted sources before execution
- Use sandboxed environments when testing new AI tools
- Implement egress filtering to block unexpected outbound connections
Dev Tools Supporting MCP
The following are the main code editors that support the Model Context Protocol. Click the link to visit the official website for more information.
