Once the offset is obtain and cause a binary crash, it's possible to obtain the value of the next bytes on the stack that will not crash the binary by enumerate all the possible value.

This technique is mostly used to leak the canary

How it work ?

The idea is to overflow a single byte of the targeted value, for example the canary, overwriting a single byte x

If x was correct, the binary will not crash.

The algorithm is repeated for all possible 256 byte values until it is found. The attack continues for the next byte until all bytes (8 on 64-bit) are leaked.