Ok, so thanks @Wumpus Q. Wumbley, this helped me understand things.
Doing next
jumps leave
and ret
altogether. ret
is the instruction that changes eip
, it must be equivalent of pop eip
. But leave
modifies the stack pointers esp
and ebp
before (especially because when I am overwriting ebp+4 I change the value contained at ebp)
TLDR : Not overwriting the value at ebp makes it work successfully.