Should exploits (even exploits from frameworks) that build malicious files drop those files into the current working directory (cwd) or into some other designated dir (/tmp? ~/? ~/.cache/, etc?)?