Untitled

Check what ROP chains you have overall in that tiny binary -- look for inspirations
 

Look at the longer ROPs possible (i.e. suffixes of functions) to see if there are any glaring/intersting function calls
 like 1
 

I.e. think beyond the generic ROP chains of changing memory pages to executable and such

maybe there are some low-hanging features of interest
 
(e.g. .....slang eval or such )

And lastly -- look around what else is on the stack e.g one frame up - anything useful if you assumed control over those local variables?