The call to zlib basically overwrites a minimal ELF into a portion of the `su` binary, which exceve's /bin/sh.
To be specific, the zlib'd binary basically does this (except that it directly uses Linux syscalls to do so rather then C wrappers):
setuid(0); execve("/bin/sh", NULL, NULL); exit(0);
To be specific, the zlib'd binary basically does this (except that it directly uses Linux syscalls to do so rather then C wrappers):