Bugs Fixed

• PR 13415 - This changes the behavior of payload encoding in Metasploit, so that payloads free of any specified bad characters skip the encoding phase altogether. Previously, payloads would be unconditionally encoded if any bad chars were specified at all.
• PR 13436 - This fixes a regression in the SERVICE_FILENAME and SERVICE_STUB_ENCODER options in psexec code.
• PR 13465 - This fixes an issue within Meterpreter's packet dispatcher code where under certain conditions packets would be processed out of order leading to failed protocol negotiation sequences.
• PR 13499 - This fixes a bug in Java meterpreter where the result of the stderr text stream was not returned when used with the cmd_exec post-exploitation API.

Enhancements and Features

• PR 13262 - This adds a new stager format to allow a python stager to call back and receive a binary meterpreter payload similar to the psh-reflection format.
• PR 13443 - This adds or updates action descriptions for numerous auxiliary and post modules in order to improve the user experience when listing or choosing actions.
• PR 13496 - This adds tests to verify that payloads, when used with the cmd_exec API, return the output of the stderr process stream in their results.

New Modules

• PR 13445 - This adds a root exploit for Pi-Hole, versions 4.4 and lower. This takes advantage of CVE-2020-11108. A new blocklist is added then an update is forced to pull in the blocklist content. Then PHP content is written to a file within webroot.
• PR 13463 - Adds a new module for exploiting a deserialization vulnerability in some versions of WebLogic This takes advantage of CVE-2020-2555.

Offline Update

• https://updates.metasploit.com/packages/70d765542ec0338a13431fe98f2bc10c18dd9d3b.bin

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version