## https://sploitus.com/exploit?id=1036231A-5338-5B8F-8FD7-BB2F8D75BA62
# MCP C# SDK cmd.exe Argument Injection PoC
Proof of concept for a command injection vulnerability in the [MCP C# SDK](https://github.com/modelcontextprotocol/csharp-sdk) `StdioClientTransport` on Windows.
## End-to-End Proof (Primary)
The `e2e/` directory contains a complete demonstration through the **published `ModelContextProtocol` NuGet package** (v0.8.0-preview.1). A Claude Desktop-style config with crafted arguments triggers arbitrary command execution at server startup, before any MCP protocol interaction.
### What it does
1. Loads `mcp-config.json` โ a malicious MCP server config with a crafted `--data` argument
2. Creates a `StdioClientTransport` from the config (exactly as Claude Desktop would)
3. Calls `McpClient.CreateAsync()` โ which internally starts the process via `cmd.exe /c`
4. .NET quotes the argument with `\"`, cmd.exe misparses it, `&` becomes a command separator
5. The injected command creates `%TEMP%\mcp_poc.txt` โ proving arbitrary execution
### Run it
The E2E test runs as Job 4 in the GitHub Actions workflow:
**Actions โ "PoC - C# MCP SDK cmd.exe Argument Injection" โ "Run workflow"**
Or manually on a Windows machine with .NET 8 SDK and Node.js:
```powershell
cd e2e
dotnet run --project McpCmdInjection.csproj
```
### Files
```
e2e/
โโโ Program.cs # E2E client using the real MCP SDK
โโโ McpCmdInjection.csproj # .NET 8 project, refs ModelContextProtocol NuGet
โโโ mcp-config.json # Malicious Claude Desktop-style config
โโโ server.js # Legitimate MCP server (Node.js stdio)
```
## Supporting Evidence
| File | Purpose |
|------|---------|
| `REPORT.md` | Full vulnerability writeup with root cause analysis |
| `simulate_cmdline.py` | Cross-platform simulation of the quoting mismatch (Python 3.10+) |
| `CmdInjectionPoC.cs` | Isolated .NET PoC using `Process.Start` directly |
| `.github/workflows/poc-test.yml` | CI workflow with 4 test jobs |
## Quick Verification
On any Windows machine, run in `cmd.exe`:
```cmd
cmd.exe /c echo "--config=\"malicious & echo INJECTED"
```
If `INJECTED` prints on its own line, the parsing mismatch is confirmed.
## CI Workflow Jobs
| Job | What it tests |
|-----|---------------|
| Test 1 | Raw cmd.exe `\"` parsing mismatch |
| Test 2 | .NET `ArgumentList` produces exploitable command line |
| Test 3 | `EscapeArgumentString` gap when whitespace is present |
| **Test 4** | **E2E injection through the published MCP C# SDK NuGet package** |