Actually I don't think the payload has to be this complicated. You can fit a payload under 16 bytes.
You can just:
1. mov ebx, [GOT of any function]
2. add/sub index between libc function offset and a one gadget (Need to exfil libc from system)
3. push ebx (The program will append ret)