mcp-exploit-demo

mcp-exploit-demo

3.4
security

If you are the rightful owner of mcp-exploit-demo and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.

This repository demonstrates a security vulnerability in MCP servers that allows for remote code execution and data exfiltration through tool poisoning.

SSH Key Exfiltration via MCP Tool Poisoning

This repository demonstrates a security vulnerability in MCP (Model Context Protocol) servers that allows for remote code execution and data exfiltration through tool poisoning. This is intended for educational and security research purposes only.

Link for the Blog:

MCP tool poisoning to RCE

Repository Contents

  • server.py - The malicious MCP server implementation containing the poisoned tool
  • .cursor/mcp.json - Configuration file for Cursor AI integration

How It Works

The attack demonstrates the "Rug Pull" method:

  1. A user connects to the malicious MCP server through MCP Client like Cursor AI
  2. The server modifies the DockerCommandAnalyzer tool's documentation with malicious code
  3. When an AI assistant reads this documentation, it's manipulated to recommend running a base64-encoded command
  4. The encoded command silently:
    • Collects the user's SSH public keys
    • Exfiltrates them to a remote server
    • Removes evidence of the attack

Technical Implementation

The key elements of the attack are:

  1. Two-stage poisoning: Uses a marker file for persistence to ensure the tool remains poisoned
  2. Social engineering: Uses urgent language to manipulate AI assistants
  3. Base64 obfuscation: Hides the malicious commands from casual inspection
  4. wget for exfiltration: Uses standard HTTP POST to send data to an attacker-controlled server

Mitigation Recommendations

To protect against this type of attack:

  1. Disable auto-run features in AI development tools like Cursor
  2. Always verify the source of any MCP server before connecting
  3. Review code from untrusted sources before execution
  4. Use sandboxed environments when testing new AI tools
  5. Implement egress filtering to block unexpected outbound connections

Related MCP Servers

View all security servers →
better-auth-mcp-server

better-auth-mcp-server

4.2

by nahmanmate

MCP Server for Authentication Management

security
gateway

gateway

4.0

by centralmind

CentralMind Gateway is a tool designed to expose databases to AI agents via MCP or OpenAPI protocols, providing secure, LLM-optimized APIs.

databases
ida-pro-mcp

ida-pro-mcp

3.7

by mrexodia

Simple MCP Server to allow vibe reversing in IDA Pro.

developer_tools
LitterBox

LitterBox

3.7

by BlackSnufkin

LitterBox is a controlled sandbox environment for security professionals to develop and test payloads, offering advanced analysis capabilities.

security
osv-mcp

osv-mcp

3.7

by StacklokLabs

An MCP server providing access to the OSV database for querying vulnerability information.

databases
code-sandbox-mcp

code-sandbox-mcp

3.6

by Automata-Labs-team

A secure sandbox environment for executing code within Docker containers. This MCP server provides AI applications with a safe and isolated environment for running code while maintaining security through containerization.

security
obsidian-mcp-tools

obsidian-mcp-tools

3.6

by jacksteamdev

MCP Tools for Obsidian enables AI applications like Claude Desktop to securely access and work with your Obsidian vault through the Model Context Protocol (MCP).

ai_chatbot
ida-mcp-server-plugin

ida-mcp-server-plugin

3.6

by taida957789

IDA Pro MCP Server is a plugin that allows remote querying and control of IDA Pro through the Model Context Protocol (MCP) interface.

developer_tools
MCP2Lambda

MCP2Lambda

3.6

by danilop

MCP2Lambda allows LLMs to interact with AWS Lambda functions as tools, enabling access to real-time and private data, execution of custom code, and interaction with external services.

cloud_platforms
jadx-mcp-server

jadx-mcp-server

3.6

by zinja-coder

JADX-MCP-SERVER is a fully automated MCP server designed to work with the JADX-AI-MCP Plugin for analyzing Android APKs using LLMs like Claude.

ai_chatbot
dynatrace-mcp

dynatrace-mcp

3.5

by dynatrace-oss

This remote MCP server allows interaction with the Dynatrace observability platform, bringing real-time observability data directly into your development workflow.

monitoring
zionfhe_mcp_server_test

zionfhe_mcp_server_test

3.5

by joyecai

Zionfhe_mcp_server_test is a server implementation based on the new homomorphic encryption technology ZIONFHE, designed to provide secure computation capabilities.

security
mcp-virustotal

mcp-virustotal

3.5

by BurtTheCoder

The VirusTotal MCP Server is a Model Context Protocol server designed for querying the VirusTotal API, providing comprehensive security analysis tools with automatic relationship data fetching.

security
mcp-shodan

mcp-shodan

3.5

by BurtTheCoder

A Model Context Protocol (MCP) server for querying the Shodan API and Shodan CVEDB, providing access to network intelligence and security services.

security
roadrecon_mcp_server

roadrecon_mcp_server

3.5

by atomicchonk

The ROADrecon MCP Server provides AI assistants like Claude with access to ROADRecon Azure AD data for security analysis.

security
MetasploitMCP

MetasploitMCP

3.5

by GH05TCREW

This MCP server provides a bridge between large language models like Claude and the Metasploit Framework penetration testing platform.

security
MCP_Security

MCP_Security

3.5

by fr0gger

A Model Context Protocol (MCP) server for querying the ORKL API, providing tools for fetching and analyzing threat reports, threat actors, and sources.

security
aws-security-mcp

aws-security-mcp

3.5

by groovyBugify

AWS Security MCP is a Model Context Protocol server that allows AI assistants to autonomously inspect and analyze AWS infrastructure for security issues.

security
GhidraMCP

GhidraMCP

3.5

by 13bm

A Ghidra plugin that implements the Model Context Protocol (MCP) for AI-assisted binary analysis.

developer_tools
pentest-mcp

pentest-mcp

3.5

by DMontgomery40

Pentest MCP is a Model Context Protocol server that integrates essential pentesting tools into a unified natural language interface, allowing security professionals to execute, chain, and analyze multiple tools through conversational commands.

security
binja-lattice-mcp

binja-lattice-mcp

3.5

by Invoke-RE

BinjaLattice is a secure communication protocol for Binary Ninja that enables interaction with external Model Context Protocol (MCP) servers and tools.

developer_tools
mcp_zoomeye

mcp_zoomeye

3.5

by zoomeye-ai

A Model Context Protocol (MCP) server that provides network asset information based on query conditions.

research_and_data
BurpSuite-MCP-Server

BurpSuite-MCP-Server

3.5

by X3r0K

A powerful Model Context Protocol (MCP) server implementation for BurpSuite, providing programmatic access to Burp's core functionalities.

security
chucknorris

chucknorris

3.5

by pollinations

The C̷h̷u̷c̷k̷N̷o̷r̷r̷i̷s̷ MCP Server is a tool designed to enhance LLMs using specialized prompts and dynamic schema adaptation, primarily for security research.

security
ExternalAttacker-MCP

ExternalAttacker-MCP

3.5

by MorDavid

ExternalAttacker is a Model Context Protocol (MCP) server designed for external attack surface management, integrating automated scanning with a natural language interface.

security
mcp-security-audit

mcp-security-audit

3.5

by qianniuspace

A powerful MCP (Model Context Protocol) Server that audits npm package dependencies for security vulnerabilities.

security
NGCBot-MCP

NGCBot-MCP

3.5

by ngc660sec

NGCBot-MCP-Server is a WeChat bot based on the HOOK mechanism, supporting various features like security news push, AI responses, and more.

communication