[kevin_thibedeau]

on 32-bit x86 the RET instructions are 0xC3 and 0xCB. Any other instruction containing these bytes can be subverted into a return if you can make the processor read the preceding instructions from the wrong starting point.

[tptacek]

Sure; the authors in the Roemer paper found a couple of those. The best place to get a sense of how this works is the "Gadget Catalog" section of that paper.

[pbsd]

Don't forget the variants with a stack-adjusting immediate, 0xC2 and 0xCA. Those can also come in handy.