A small correction:
The cd-key stealing is not possible since the master server address is
built-in in the client code.
Sorry for this wrong info, I added it almost two weeks ago while taking
note of the possible ways for exploitating these bugs and forgot to
recheck this method.
I have updated the proof-of-concept simply adding the cl_allowdownload
cvar, so is no longer needed to enable "Automatic Downloading" on the
client since any client with this option disabled or enabled will start
to overwrite any file in the system decided by the server of the attacker
which has full control over the client's cvars (those write protected
too, just like fs_homepath).
As already said the PoC is very very basic, relaunch the server or
change map if you want to re-overwrite the same file on the same client
(useless info, I tell you only in case you are not able to re-overwrite
the same file during the same server session and don't know why).