A small correction: The cd-key stealing is not possible since the master server address is built-in in the client code. Sorry for this wrong info, I added it almost two weeks ago while taking note of the possible ways for exploitating these bugs and forgot to recheck this method. I have updated the proof-of-concept simply adding the cl_allowdownload cvar, so is no longer needed to enable "Automatic Downloading" on the client since any client with this option disabled or enabled will start to overwrite any file in the system decided by the server of the attacker which has full control over the client's cvars (those write protected too, just like fs_homepath). As already said the PoC is very very basic, relaunch the server or change map if you want to re-overwrite the same file on the same client (useless info, I tell you only in case you are not able to re-overwrite the same file during the same server session and don't know why). BYEZ --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org