I have seen that the address in the ESP register differs between the first and the second tab of the terminal. Also, the ESP sometimes changes after restarting the VM. The ASLR and the other protections are off. What happens here?
In Linux, the environment vars and args are at the top (highest addresses) of the stack on process entry.
esp on entry to _start points to argc, and right above that is argv[]. (By value, not a pointer to argv. CRT startup code has to lea eax, [esp+4] or something to get &argv[0], and pass that to main.)
Above that is envp[]. (I found a diagram in http://asm.sourceforge.net/articles/startup.html. See also the i386 System V ABI documentation.)
With ASLR disable, the highest address of the region mapped as stack memory is fixed, but a different sized environment will take up a different amount of space above the initial esp.