Airpwn is a quick C tool that can inject http content (and other content) into wireless 802.11b networks. Tested at Defcon12; supposedly the only reliable part of the tool is to replace all http images with an image/redirect of your choosing. Might be interesting to play with on a nix box.
Update: article on using airpwn.