Stack Confusion with Buffer Overflow


at the moment I read a book called "Forbitten Code". In this books are
examples but they never work for me, although I'm sure that I understood
I want to describe the example. It is about getting root permissions on
the own computer with help of a buffer overflow.
First of all there is the vulnerable program:

#include <string.h>

int main(int argc, char **argv) {

char buffer[5];
strcpy(buffer, argv[1]);
return 0;

Then I saved the shellcode to a variable SHELLCODE, I got from the book.
The shellcode looks like this:


It is described that x90 is the "No Operation"-instruction. "shellcode"
contains 46 hex-numbers, which also includes /bin/sh as you can see below:

export SHELLCODE=`perl -e 'print "\x90"x200;'``cat shellcode`

Then I looked into the stack:

0xbfd13510: "HOSTNAME=gentoo"
0xbfd13520: "SHELLCODE=", '\220' <repeats 190 times>...
0xbfd13621: "SHELL=/bin/bash"

Because the address 0xbfd13520 contains the string "SHELLCODE", I have
to choose a later address to get to the code, so I chose at least
Now I can use these address as the jump-back-address for the buffer
overflow. I have to assign the hex-numbers with the little endian order
because my processor is an Intel. (btw, I also tried a 100-times loop below)

../vuln `perl -e 'print "\x30\x35\xd1\bf"x10;'`

When I start vuln with the parameters, I just get a SEGMENTATION FAULT
instead of root-rights.
First I thought that the shellcode could be wrong but in an earlier
example I managed it to get root-privileges, but _only_ once.
Can anybody imagine where this example fails?