For a small ctf challenge, I use the tool called Bropper, which is based on blind return-oriented programming. This tool checks if a forked server crashes or doesn't crash, and can leak information about the vuln program like gadgets.
https://github.com/Hakumarachi/Bropper
Sometimes I'm not able to leak a byte from the stack canary, but I'm not sure why.
The tool iterates from 0 to 255 in hexadecimal, but sometimes it does not find the correct byte.
I checked the tool and changed the function to_bytes('big') to to_bytes('little') because I use Ubuntu and the byte order is different from Debian Linux.