No, it would require the clients consent.
The host cant upload files to the client without a client side add-on which the client would have to download.(to my knowledge, but this is most likely true)
Besides, a hack requiring the host would be impractical because this guy A) wasnt the host and of course B) you would need people to join your server and it eliminates the idea of joining any random server and killing stuff.