haven't contacted the author but he describes his supposed route. I'm trying to replicate his results and there is indeed a possible integer overflow condition but I'd be doubtful of reports of successful exploitation with systems linked with a newer version of glibc w/ heap consistency checking, stackguard &/| aslr.
http://lxr.evanmiller.org/http/source/core/ngx_log.h#L120 contains a few functions (2, 5 I've found so far) that write data in a (at a quick glance) safe fashion, I guess you might be able to give someone wierd logfiles.
I've been over every file that referenced by ngx_http_request_t http://lxr.evanmiller.org/http/ident?i=ngx_http_request_t looking for buffers, directly or indirectly using a value derived from a ngx_http_request->count (not -> main -> count), and although the bug condition he describes is possibly real, I'd love to see an RCE proof of concept from the author.
