Setting up vulnerable Virtual Machines is one of the easiest ways to test exploitation techniques. These VM's can come in a variety of formats, but seem to be distributed mainly as either an ISO, or a directory you can place on a web server.
g0tmi1k has a great listing of vulnerable VM's with a link to each. It's worth checking out!
You can find the list here: http://g0tmi1k.blogspot.com/2011/03/vulnerable-by-design.html
