credits: (I've heard it was first discovered by ricky from PPP? but I don't know, also documented here)
info: For info on what the magic gadget is check out this
./magic_finder.py libc-2.19.so
./magic_finder.py libc-2.19.so -b libc-2.19.bndb
The simplest thing to do while ctfing is just copying the output addresses and brute forcing each and hope to get lucky (no shame when it is the magic gadget), it shouldn't take too long. Or go through the verbose output or pull up the address in binary ninja or ida to have a closer look.