Domain registries provide registrars with reports of domains which are set to expire, and if you’re not a registrar yourself, you can often purchase these lists on a secondary market or use APIs built upon serving this information.
But even if you don’t have that list, you can do a Whois search for any domain and know its expiration. You could build your own database!
Note that most domains have a grace period (eg, 30 days) where the original owner can renew even after it has expired. So it’s not like you’d be able to steal someone’s domain just because of a clerical error.
It turns out that grace periods (called a "redemption grace period") weren't proposed until 2003. I'm not actually sure when this process was approved by ICANN - sometime between 2003 and 2013.
Droplists are from namejet, domain cleaning is done by checking against zone-files from ICANN (that's why I don't currently check .tv and .cc domains as there are no zone-files by ICANN provided for them. As they are country specific, I would have to build custom solutions for them, which I don't want for a proof of concept).