The binary "zip" isn't the exploit, it's the shellcode. The exploit is the rest, which changes the code of a SUID executable (su).
replyI have a C translation here that should be pretty readable https://github.com/tgies/copy-fail-c
replyThe call to zlib basically overwrites a minimal ELF into a portion of the `su` binary, which exceve's /bin/sh.
replyTo be specific, the zlib'd binary basically does this (except that it directly uses Linux syscalls to do so rather then C wrappers):
reply setuid(0);
execve("/bin/sh", NULL, NULL);
exit(0);