Use An ENV Variable
Put shellcode in an environment variable
Compute return address: 0xbffffffa - strlen(shellcode) - strlen(<vuln prog name>) to get address for EIP
Overflow buffer with the computed return address