According to the exploit author:
"Because it will cause greate damage,I can't give you the POC,instead a
tip.The r->count is a 8 bit data,if you try to increase the
r->main->count to more then 256,then it will exec
ngx_http_free_request(r, rc) and ngx_http_close_connection(c),so when
goto ngx_http_close_connection again,the segment fault happens.
Easy patch to modify src\http\ngx_http_request.h file,change count:8;
to count:16;"