One thing I have always maintained is that aspiring or practicing
penetration testers who use an exploitation product (such as CANVAS,
Core Impact, Metasploit) should know how buffer overflows actually work.
Having this knowledge will help you understand the circumstances under
which these products can work, will help you troubleshoot when things
don't work and will correct unrealistic expectations about what the
products are capable of.
In addition, being able to reproduce buffer overflow exploits will also
give you the tools to more accurately assess the risk of discovered
vulnerabilities as well as to develop effective countermeasures for
exploits out in the wild. These are important skills for incident
responders and for those attempting to protect their networks.