A vulnerability exists in grass::log(), at session.cpp:68, where an unbounded string copy from a user-controlled input to a fixed-size stack buffer is performed.

In grass::Session::onNewData(), at session.cpp:96, when an invalid command is received, the command name is logged as an error. As such, it suffices to send a command name of length greater than 256 bytes to overrun the buffer. Upon disassembly of the server binary, it becomes evident that, in fact, the last 4 bytes of a 272-byte command will overwrite the return
address in the stack frame of the current function.

For the sake of this demonstration, the buffer will be filled with 68 4-byte words (for a total of 272 bytes), each word containing the address of the hijack_flow() method: 0x5656e5a1.
The “in” script, in the attached PoC, contains the faulty command, followed by a new-line character.

sploit_1.zip