I think he's using OpenSSL's RNG (that's what BN_rand is). I think (but, if you put it to me, am not off the top of my head 100% certain) that OpenSSL's RNG will automatically initialize itself if you don't.

What are the hashes of? :D

Short strings describing crypto bugs. So when you find something I didn't, I can't claim to have found it myself first.

No padding used for keys sent by client? Public Key sent by server not verified by client? Keys sent by client are not verified by server? I suspect there are whole heap of problems wrong with this but thats just what i see atm.

1. Yep, that's one of my issues (echo unpadded rsa | openssl sha -sha256)

2. That's an issue but I didn't count it because the blog post cops to that problem.

What about the zero length? Wouldn't that reveal the encrypted IV since he's just xoring sizeof(uint32_t) against the IV and not including any MAC?

If it revealed anything, it'd be CTR keystream. The "IV" here is misnamed; it's the CTR counter block.