Christophe Alladoum has posted a tutorial on the IO Active Labs Research blog on the Java debug wire protocol and its insecurities. He explains, “In this post, I will explain the Java Debug Wire Protocol (JDWP) and why it is interesting from a pentester’s point of view. I will cover some JDWP internals and how to use them to perform code execution, resulting in a reliable and universal exploitation script. This post does not reveal any 0-day exploits, but instead thoroughly covers JDWP from a pentester/attacker perspective.”
Official documentation explaining the Java debug wire protocol can be found on the JDWP page at Oracle.