haven't contacted the author but he describes his supposed route. I'm trying to replicate his results and there is indeed a possible integer overflow condition but I'd be doubtful of reports of successful exploitation with systems linked with a newer version of glibc w/ heap consistency checking, stackguard &/| aslr.
I've been over every file that referenced by ngx_http_request_t http://lxr.evanmiller.org/http/ident?i=ngx_http_request_t looking for buffers, directly or indirectly using a value derived from a ngx_http_request->count (not -> main -> count), and although the bug condition he describes is possibly real, I'd love to see an RCE proof of concept from the author.
