I have been reading about the Java deserialization vulnerability which leads to Remote Code Execution attack. Many public exploits are even available to do the attack.
I didn't find any tutorial describing on how does an attacker exploit the vulnerability. If I make a deserialization program, then how can I exploit it to perform RCE?
I suggest you look at the public exploits to learn how they exploit the vulnerability and then ask a more specific question about anything you don't understand.
As a place for you to start, somebody made a page on github that summarizes all the talks and guides. The published exploit of OpenNMS using ysoserial is about as simple as you are going to get.
