What are the Machines with Buffer Overflow, ranked.

I need a list of machines (retired or activate) with which I can practice for buffer overflow vulnerabilities, ranked from easiest to most difficult “i.e. simple, require fuzzing, with bad chars, with ASR… etc”

sneaky : easy ROP
enterprise : medium RET2LIB
fortress overflown : easy

Thanks for posting this, didnt know I was interested in this until I saw this post haha


@Waffles said:
Thanks for posting this, didnt know I was interested in this until I saw this post haha

I’m with you on that one… I’ll have to keep tabs on this discussion.

@peek thanks…

For whoever is interested, here’s the current ranked list “ranked by difficulty of overflow-from easiest to hardest”:


Edits and additions are welcome…

Calamity should be on that list too!

Correct, and it ranks right at the top.

New list:


For those who want to learn, you can start by doing a simple BoF on your machine:

then you can go down the list starting with sneaky.

I need some general advise . Using vulnerable applications to perform BO .

OTW Leviathan is a good place to get some early exposure to things like strace: http://overthewire.org/wargames/leviathan/ not exactly BO dev, but core stuff that comes in handy leading up to it.

Corelan has a pretty good tutorial series covering a good range of topic levels from simple trampolining to SEH and ASLR evasion: https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

Thank you !

If you want to learn binary exploitation, practice on pwnable.tw or pwnable.kr. HackTheBox isn’t the best place for that.

Has no one here completed Ellingson? It has a really cool ROP. That I’d put on the medium to upper end.

BigHead if you prefer Win32.

I think it is better to practice BOF on OTW or pwnable.kr

BTW. Who knows windows BOF exercises site, similar to OTW behemoth or pwnable.kr?

It brings a tear to my eye thay you guys are so helpful. I need to prepare for my OSCP and I am terrible with buffer overflows.

Thank you. :,)